Добавлены заголовки безопасности

This commit is contained in:
ErickSkrauch 2017-12-31 15:28:31 +03:00
parent a071789e52
commit bf354a0a3d
4 changed files with 36 additions and 3 deletions

View File

@ -70,6 +70,7 @@
"babel-runtime": "^6.0.0",
"bundle-loader": "^0.5.4",
"check-node-version": "^2.1.0",
"csp-webpack-plugin": "^1.0.2",
"css-loader": "^0.28.0",
"enzyme": "^2.2.0",
"eslint": "^4.0.0",

View File

@ -6,6 +6,9 @@
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="msapplication-tap-highlight" content="no">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1.0, user-scalable=no">
<% if (htmlWebpackPlugin.options.isCspEnabled) { %>
<meta http-equiv="Content-Security-Policy" content="%%CSP_CONTENT%%">
<% } %>
<% if (htmlWebpackPlugin.files.favicon) { %>
<link rel="shortcut icon" href="<%= htmlWebpackPlugin.files.favicon %>">

View File

@ -11,6 +11,7 @@ const HtmlWebpackPlugin = require('html-webpack-plugin');
const cssUrl = require('webpack-utils/cssUrl');
const cssImport = require('postcss-import');
const SitemapPlugin = require('sitemap-webpack-plugin').default;
const CSPPlugin = require('csp-webpack-plugin');
const localeFlags = require('./src/components/i18n/localeFlags').default;
const SUPPORTED_LANGUAGES = Object.keys(require('./src/i18n/index.json'));
@ -46,6 +47,7 @@ const isTest = process.argv.some((arg) => arg.indexOf('karma') !== -1);
const isDockerized = !!process.env.DOCKERIZED;
const isCI = !!process.env.CI;
const isSilent = isCI || process.argv.some((arg) => /quiet/.test(arg));
const isCspEnabled = false;
process.env.NODE_ENV = isProduction ? 'production' : 'development';
if (isTest) {
@ -107,7 +109,7 @@ const webpackConfig = {
'react/addons': true
} : {},
devtool: 'cheap-module-eval-source-map',
devtool: 'cheap-module-source-map',
plugins: [
new webpack.DefinePlugin({
@ -131,7 +133,8 @@ const webpackConfig = {
inject: false,
minify: {
collapseWhitespace: isProduction
}
},
isCspEnabled,
}),
new SitemapPlugin('https://account.ely.by', [
'/',
@ -314,6 +317,25 @@ if (!isProduction && !isTest) {
}
}
if (isCspEnabled) {
webpackConfig.plugins.push(new CSPPlugin({
'default-src': '\'none\'',
'style-src': ['\'self\'', '\'unsafe-inline\''],
'script-src': [
'\'self\'',
'\'unsafe-inline\'',
'https://www.google-analytics.com',
'https://www.google.com/recaptcha/',
'https://www.gstatic.com/recaptcha/',
],
'img-src': ['\'self\'', 'data:', 'www.google-analytics.com'],
'font-src': ['\'self\'', 'data:'],
'connect-src': isProduction ? ['\'self\''] : ['\'self\'', 'ws://localhost:8080'],
'frame-src': ['https://www.google.com/recaptcha/'],
'report-uri': 'https://sentry.ely.by/api/2/csp-report/?sentry_key=088e7718236a4f91937a81fb319a93f6',
}));
}
if (isDockerized) {
webpackConfig.watchOptions = {
poll: 2000

View File

@ -1482,7 +1482,7 @@ check-node-version@^2.1.0:
run-parallel "^1.1.4"
semver "^5.0.3"
cheerio@^0.22.0:
cheerio@0.22.0, cheerio@^0.22.0:
version "0.22.0"
resolved "https://registry.yarnpkg.com/cheerio/-/cheerio-0.22.0.tgz#a9baa860a3f9b595a6b81b1a86873121ed3a269e"
dependencies:
@ -1861,6 +1861,13 @@ crypto-browserify@3.3.0:
ripemd160 "0.2.0"
sha.js "2.2.6"
csp-webpack-plugin@^1.0.2:
version "1.0.2"
resolved "https://registry.yarnpkg.com/csp-webpack-plugin/-/csp-webpack-plugin-1.0.2.tgz#171cb7af8061ac5c339d0368d6de7596dc218cfb"
dependencies:
cheerio "0.22.0"
lodash "^4.17.4"
css-color-names@0.0.4:
version "0.0.4"
resolved "https://registry.yarnpkg.com/css-color-names/-/css-color-names-0.0.4.tgz#808adc2e79cf84738069b646cb20ec27beb629e0"