diff --git a/hosting/nginx.dev.conf b/hosting/nginx.dev.conf index f0a58a9a98..e3d6d47287 100644 --- a/hosting/nginx.dev.conf +++ b/hosting/nginx.dev.conf @@ -45,6 +45,20 @@ http { client_max_body_size 50000m; ignore_invalid_headers off; proxy_buffering off; + set $csp_default "default-src 'self'"; + set $csp_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io https://d2l5prqdbvm3op.cloudfront.net https://us-assets.i.posthog.com"; + set $csp_style "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me https://maxcdn.bootstrapcdn.com"; + set $csp_object "object-src 'none'"; + set $csp_base_uri "base-uri 'self'"; + set $csp_connect "connect-src 'self' https://*.budibase.app https://*.budibaseqa.app https://*.budibase.net https://api-iam.intercom.io https://api-iam.intercom.io https://api-ping.intercom.io https://app.posthog.com https://us.i.posthog.com wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io https://uploads.intercomcdn.com https://uploads.intercomusercontent.com https://*.amazonaws.com https://*.s3.amazonaws.com https://*.s3.us-east-2.amazonaws.com https://*.s3.us-east-1.amazonaws.com https://*.s3.us-west-1.amazonaws.com https://*.s3.us-west-2.amazonaws.com https://*.s3.af-south-1.amazonaws.com https://*.s3.ap-east-1.amazonaws.com https://*.s3.ap-southeast-3.amazonaws.com https://*.s3.ap-south-1.amazonaws.com https://*.s3.ap-northeast-3.amazonaws.com https://*.s3.ap-northeast-2.amazonaws.com https://*.s3.ap-southeast-1.amazonaws.com https://*.s3.ap-southeast-2.amazonaws.com https://*.s3.ap-northeast-1.amazonaws.com https://*.s3.ca-central-1.amazonaws.com https://*.s3.cn-north-1.amazonaws.com https://*.s3.cn-northwest-1.amazonaws.com https://*.s3.eu-central-1.amazonaws.com https://*.s3.eu-west-1.amazonaws.com https://*.s3.eu-west-2.amazonaws.com https://*.s3.eu-south-1.amazonaws.com https://*.s3.eu-west-3.amazonaws.com https://*.s3.eu-north-1.amazonaws.com https://*.s3.sa-east-1.amazonaws.com https://*.s3.me-south-1.amazonaws.com https://*.s3.us-gov-east-1.amazonaws.com https://*.s3.us-gov-west-1.amazonaws.com https://api.github.com"; + set $csp_font "font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me https://maxcdn.bootstrapcdn.com https://js.intercomcdn.com https://fonts.intercomcdn.com"; + set $csp_frame "frame-src 'self' https:"; + set $csp_img "img-src http: https: data: blob:"; + set $csp_manifest "manifest-src 'self'"; + set $csp_media "media-src 'self' https://js.intercomcdn.com https://cdn.budi.live"; + set $csp_worker "worker-src blob:"; + + add_header Content-Security-Policy "${csp_default}; ${csp_style}; ${csp_object}; ${csp_base_uri}; ${csp_connect}; ${csp_font}; ${csp_frame}; ${csp_img}; ${csp_manifest}; ${csp_media}; ${csp_worker};" always; error_page 502 503 504 /error.html; location = /error.html { diff --git a/packages/server/src/environment.ts b/packages/server/src/environment.ts index 5e277feebe..45d675ec3f 100644 --- a/packages/server/src/environment.ts +++ b/packages/server/src/environment.ts @@ -114,7 +114,6 @@ const environment = { DEFAULTS.JS_RUNNER_MEMORY_LIMIT, LOG_JS_ERRORS: process.env.LOG_JS_ERRORS, DISABLE_USER_SYNC: process.env.DISABLE_USER_SYNC, - DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY, // old CLIENT_ID: process.env.CLIENT_ID, _set(key: string, value: any) { diff --git a/packages/server/src/koa.ts b/packages/server/src/koa.ts index e595ddc9e6..0dc7fd7081 100644 --- a/packages/server/src/koa.ts +++ b/packages/server/src/koa.ts @@ -6,7 +6,13 @@ import * as api from "./api" import * as automations from "./automations" import { Thread } from "./threads" import * as redis from "./utilities/redis" -import { events, logging, middleware, timers } from "@budibase/backend-core" +import { + events, + logging, + middleware, + timers, + env as coreEnv, +} from "@budibase/backend-core" import destroyable from "server-destroy" import { userAgent } from "koa-useragent" @@ -37,7 +43,7 @@ export default function createKoaApp() { app.use(middleware.correlation) app.use(middleware.pino) app.use(middleware.ip) - if (!env.DISABLE_CONTENT_SECURITY_POLICY) { + if (!coreEnv.DISABLE_CONTENT_SECURITY_POLICY) { app.use(middleware.csp) } app.use(userAgent) diff --git a/packages/worker/src/environment.ts b/packages/worker/src/environment.ts index 3947c7431e..3a9efd70ce 100644 --- a/packages/worker/src/environment.ts +++ b/packages/worker/src/environment.ts @@ -46,7 +46,6 @@ const environment = { SMTP_FALLBACK_ENABLED: process.env.SMTP_FALLBACK_ENABLED, DISABLE_DEVELOPER_LICENSE: process.env.DISABLE_DEVELOPER_LICENSE, BUDIBASE_ENVIRONMENT: process.env.BUDIBASE_ENVIRONMENT, - DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY, // smtp SMTP_USER: process.env.SMTP_USER, SMTP_PASSWORD: process.env.SMTP_PASSWORD, diff --git a/packages/worker/src/index.ts b/packages/worker/src/index.ts index 89232034a4..010aa4c1a0 100644 --- a/packages/worker/src/index.ts +++ b/packages/worker/src/index.ts @@ -56,7 +56,7 @@ app.use(koaSession(app)) app.use(middleware.correlation) app.use(middleware.pino) app.use(middleware.ip) -if (!env.DISABLE_CONTENT_SECURITY_POLICY) { +if (!coreEnv.DISABLE_CONTENT_SECURITY_POLICY) { app.use(middleware.csp) } app.use(userAgent) diff --git a/yarn.lock b/yarn.lock index 8fabcddd00..73a4e8fa4d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -23244,4 +23244,4 @@ zip-stream@^6.0.1: dependencies: archiver-utils "^5.0.0" compress-commons "^6.0.2" - readable-stream "^4.0.0" + readable-stream "^4.0.0" \ No newline at end of file