env variable for turning off csp

hosting/proxy/nginx.prod.conf

@@ -50,19 +50,6 @@ http {
     ignore_invalid_headers off;
     proxy_buffering off;
 
-    set $csp_default "default-src 'self'";
-    set $csp_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io https://d2l5prqdbvm3op.cloudfront.net https://us-assets.i.posthog.com";
-    set $csp_style "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me https://maxcdn.bootstrapcdn.com";
-    set $csp_object "object-src 'none'";
-    set $csp_base_uri "base-uri 'self'";
-    set $csp_connect "connect-src 'self' https://*.budibase.app https://*.budibaseqa.app https://*.budibase.net https://api-iam.intercom.io https://api-iam.intercom.io  https://api-ping.intercom.io https://app.posthog.com https://us.i.posthog.com wss://nexus-websocket-a.intercom.io  wss://nexus-websocket-b.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io  https://uploads.intercomcdn.com  https://uploads.intercomusercontent.com https://*.amazonaws.com https://*.s3.amazonaws.com https://*.s3.us-east-2.amazonaws.com https://*.s3.us-east-1.amazonaws.com https://*.s3.us-west-1.amazonaws.com https://*.s3.us-west-2.amazonaws.com https://*.s3.af-south-1.amazonaws.com https://*.s3.ap-east-1.amazonaws.com https://*.s3.ap-southeast-3.amazonaws.com https://*.s3.ap-south-1.amazonaws.com https://*.s3.ap-northeast-3.amazonaws.com https://*.s3.ap-northeast-2.amazonaws.com https://*.s3.ap-southeast-1.amazonaws.com https://*.s3.ap-southeast-2.amazonaws.com https://*.s3.ap-northeast-1.amazonaws.com https://*.s3.ca-central-1.amazonaws.com https://*.s3.cn-north-1.amazonaws.com https://*.s3.cn-northwest-1.amazonaws.com https://*.s3.eu-central-1.amazonaws.com https://*.s3.eu-west-1.amazonaws.com https://*.s3.eu-west-2.amazonaws.com https://*.s3.eu-south-1.amazonaws.com https://*.s3.eu-west-3.amazonaws.com https://*.s3.eu-north-1.amazonaws.com https://*.s3.sa-east-1.amazonaws.com https://*.s3.me-south-1.amazonaws.com https://*.s3.us-gov-east-1.amazonaws.com https://*.s3.us-gov-west-1.amazonaws.com https://api.github.com";    
-    set $csp_font "font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me https://maxcdn.bootstrapcdn.com  https://js.intercomcdn.com  https://fonts.intercomcdn.com";
-    set $csp_frame "frame-src 'self' https:";
-    set $csp_img "img-src http: https: data: blob:";
-    set $csp_manifest "manifest-src 'self'";
-    set $csp_media "media-src 'self' https://js.intercomcdn.com https://cdn.budi.live"; 
-    set $csp_worker "worker-src blob:";
-
     error_page 502 503 504 /error.html;
     location = /error.html {
       root /usr/share/nginx/html;
@@ -73,7 +60,6 @@ http {
     add_header X-Frame-Options SAMEORIGIN always;
     add_header X-Content-Type-Options nosniff always;
     add_header X-XSS-Protection "1; mode=block" always;
-    add_header Content-Security-Policy "${csp_default}; ${csp_script}; ${csp_style}; ${csp_object}; ${csp_base_uri}; ${csp_connect}; ${csp_font}; ${csp_frame}; ${csp_img}; ${csp_manifest}; ${csp_media}; ${csp_worker};" always;
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 
     # upstreams

packages/backend-core/src/middleware/contentSecurityPolicy.ts

@@ -4,14 +4,13 @@ const CSP_DIRECTIVES = {
   "default-src": ["'self'"],
   "script-src": [
     "'self'",
-    // "'unsafe-inline'",
     "'unsafe-eval'",
     "https://*.budibase.net",
     "https://cdn.budi.live",
     "https://js.intercomcdn.com",
     "https://widget.intercom.io",
     "https://d2l5prqdbvm3op.cloudfront.net",
-    "https://us-assets.i.posthog.com"
+    "https://us-assets.i.posthog.com",
   ],
   "style-src": [
     "'self'",
@@ -19,7 +18,7 @@ const CSP_DIRECTIVES = {
     "https://cdn.jsdelivr.net",
     "https://fonts.googleapis.com",
     "https://rsms.me",
-    "https://maxcdn.bootstrapcdn.com"
+    "https://maxcdn.bootstrapcdn.com",
   ],
   "object-src": ["'none'"],
   "base-uri": ["'self'"],
@@ -64,7 +63,7 @@ const CSP_DIRECTIVES = {
     "https://*.s3.me-south-1.amazonaws.com",
     "https://*.s3.us-gov-east-1.amazonaws.com",
     "https://*.s3.us-gov-west-1.amazonaws.com",
-    "https://api.github.com"
+    "https://api.github.com",
   ],
   "font-src": [
     "'self'",
@@ -74,30 +73,36 @@ const CSP_DIRECTIVES = {
     "https://rsms.me",
     "https://maxcdn.bootstrapcdn.com",
     "https://js.intercomcdn.com",
-    "https://fonts.intercomcdn.com"
+    "https://fonts.intercomcdn.com",
   ],
   "frame-src": ["'self'", "https:"],
   "img-src": ["http:", "https:", "data:", "blob:"],
   "manifest-src": ["'self'"],
-  "media-src": ["'self'", "https://js.intercomcdn.com", "https://cdn.budi.live"],
-  "worker-src": ["blob:"]
+  "media-src": [
+    "'self'",
+    "https://js.intercomcdn.com",
+    "https://cdn.budi.live",
+  ],
+  "worker-src": ["blob:"],
 }
 
 export async function contentSecurityPolicy(ctx: any, next: any) {
   try {
     const nonce = crypto.randomBytes(16).toString("base64")
 
-    CSP_DIRECTIVES['script-src'].push(`'nonce-${nonce}'`)
+    CSP_DIRECTIVES["script-src"].push(`'nonce-${nonce}'`)
 
     ctx.state.nonce = nonce
 
     const cspHeader = Object.entries(CSP_DIRECTIVES)
-      .map(([key, sources]) => `${key} ${sources.join(' ')}`)
-      .join('; ')
-    ctx.set("Content-Security-Policy", cspHeader);
+      .map(([key, sources]) => `${key} ${sources.join(" ")}`)
+      .join("; ")
+    ctx.set("Content-Security-Policy", cspHeader)
     await next()
   } catch (err: any) {
-    console.error(`Some error: ${err}`)
+    console.error(
+      `Error occurred in Content-Security-Policy middleware: ${err}`
+    )
   }
 }
 

packages/server/src/api/controllers/static/index.ts

@@ -260,7 +260,7 @@ export const serveBuilderPreview = async function (ctx: Ctx) {
     const previewHbs = loadHandlebarsFile(join(previewLoc, "preview.hbs"))
     ctx.body = await processString(previewHbs, {
       clientLibPath: objectStore.clientLibraryUrl(appId!, appInfo.version),
-      nonce: ctx.state.nonce
+      nonce: ctx.state.nonce,
     })
   } else {
     // just return the app info for jest to assert on

packages/server/src/environment.ts

@@ -114,6 +114,7 @@ const environment = {
     DEFAULTS.JS_RUNNER_MEMORY_LIMIT,
   LOG_JS_ERRORS: process.env.LOG_JS_ERRORS,
   DISABLE_USER_SYNC: process.env.DISABLE_USER_SYNC,
+  DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY,
   // old
   CLIENT_ID: process.env.CLIENT_ID,
   _set(key: string, value: any) {

packages/server/src/koa.ts

@@ -37,7 +37,9 @@ export default function createKoaApp() {
   app.use(middleware.correlation)
   app.use(middleware.pino)
   app.use(middleware.ip)
-  app.use(middleware.csp)
+  if (!env.DISABLE_CONTENT_SECURITY_POLICY) {
+    app.use(middleware.csp)
+  }
   app.use(userAgent)
 
   const server = http.createServer(app.callback())

packages/types/src/sdk/koa.ts

@@ -48,6 +48,7 @@ export interface Ctx<RequestBody = any, ResponseBody = any> extends Context {
   request: BBRequest<RequestBody>
   body: ResponseBody
   userAgent: UserAgentContext["userAgent"]
+  state: { nonce: string }
 }
 
 /**
@@ -56,6 +57,7 @@ export interface Ctx<RequestBody = any, ResponseBody = any> extends Context {
 export interface UserCtx<RequestBody = any, ResponseBody = any>
   extends Ctx<RequestBody, ResponseBody> {
   user: ContextUser
+  state: { nonce: string }
   roleId?: string
   eventEmitter?: ContextEmitter
   loginMethod?: LoginMethod

packages/worker/src/environment.ts

@@ -46,6 +46,7 @@ const environment = {
   SMTP_FALLBACK_ENABLED: process.env.SMTP_FALLBACK_ENABLED,
   DISABLE_DEVELOPER_LICENSE: process.env.DISABLE_DEVELOPER_LICENSE,
   BUDIBASE_ENVIRONMENT: process.env.BUDIBASE_ENVIRONMENT,
+  DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY,
   // smtp
   SMTP_USER: process.env.SMTP_USER,
   SMTP_PASSWORD: process.env.SMTP_PASSWORD,

packages/worker/src/index.ts

@@ -56,6 +56,9 @@ app.use(koaSession(app))
 app.use(middleware.correlation)
 app.use(middleware.pino)
 app.use(middleware.ip)
+if (!env.DISABLE_CONTENT_SECURITY_POLICY) {
+  app.use(middleware.csp)
+}
 app.use(userAgent)
 
 // authentication