Skip to content

Commit 35ad0ae

Browse files
ErikBjareErikBjare
authored
fix: made CSP stricter in prod (#503)
* fix: made CSP stricter in prod * fix: apparently you can't refactor things out as globals in vue.config.js? strange * fix: fixed CSP in dev * fix: simplified CSP template param
1 parent d7c70b4 commit 35ad0ae

File tree

2 files changed

+6
-2
lines changed

2 files changed

+6
-2
lines changed

src/index.html

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,8 @@
55
<title>ActivityWatch</title>
66
<link rel="icon" type="image/png" href="/static/logo.png">
77
<meta name="viewport" content="width=device-width,initial-scale=1.0">
8-
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 127.0.0.1:5600 127.0.0.1:5666 localhost:5666 *:27180 ws://*:27180 https://api.github.com/repos/ActivityWatch/activitywatch/releases/latest; img-src 'self' data:; font-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none'; script-src 'self' 'unsafe-eval'">
8+
<!-- Verify with https://csp-evaluator.withgoogle.com/ -->
9+
<meta http-equiv="Content-Security-Policy" content="default-src 'self' <%= htmlWebpackPlugin.options.templateParameters.cspDefaultSrc %> https://api.github.com/repos/ActivityWatch/activitywatch/releases/latest; img-src 'self' data:; font-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none'; script-src 'self' 'unsafe-eval'">
910
</head>
1011
<body>
1112
<noscript>

vue.config.js

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@ module.exports = {
1515
index: {
1616
entry: './src/main.js',
1717
template: './src/index.html',
18+
templateParameters: {
19+
cspDefaultSrc: process.env.NODE_ENV === 'production' ? '' : '*:5600 *:5666 ws://*:27180',
20+
},
1821
},
1922
},
2023
chainWebpack: config => {
@@ -40,8 +43,8 @@ module.exports = {
4043
plugins: [
4144
new webpack.IgnorePlugin({ resourceRegExp: /^\.\/locale$/, contextRegExp: /moment$/ }),
4245
new webpack.DefinePlugin({
43-
AW_SERVER_URL: process.env.AW_SERVER_URL,
4446
PRODUCTION: process.env.NODE_ENV === 'production',
47+
AW_SERVER_URL: process.env.AW_SERVER_URL,
4548
COMMIT_HASH: JSON.stringify(_COMMIT_HASH),
4649
}),
4750
new CopyWebpackPlugin([{ from: 'static/', to: 'static' }]),

0 commit comments

Comments
 (0)