Добавлены заголовки безопасности

package.json

@@ -70,6 +70,7 @@
     "babel-runtime": "^6.0.0",
     "bundle-loader": "^0.5.4",
     "check-node-version": "^2.1.0",
+    "csp-webpack-plugin": "^1.0.2",
     "css-loader": "^0.28.0",
     "enzyme": "^2.2.0",
     "eslint": "^4.0.0",

src/index.ejs

@@ -6,6 +6,9 @@
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="msapplication-tap-highlight" content="no">
     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1.0, user-scalable=no">
+    <% if (htmlWebpackPlugin.options.isCspEnabled) { %>
+        <meta http-equiv="Content-Security-Policy" content="%%CSP_CONTENT%%">
+    <% } %>
 
     <% if (htmlWebpackPlugin.files.favicon) { %>
         <link rel="shortcut icon" href="<%= htmlWebpackPlugin.files.favicon %>">

webpack.config.js

@@ -11,6 +11,7 @@ const HtmlWebpackPlugin = require('html-webpack-plugin');
 const cssUrl = require('webpack-utils/cssUrl');
 const cssImport = require('postcss-import');
 const SitemapPlugin = require('sitemap-webpack-plugin').default;
+const CSPPlugin = require('csp-webpack-plugin');
 const localeFlags = require('./src/components/i18n/localeFlags').default;
 
 const SUPPORTED_LANGUAGES = Object.keys(require('./src/i18n/index.json'));
@@ -46,6 +47,7 @@ const isTest = process.argv.some((arg) => arg.indexOf('karma') !== -1);
 const isDockerized = !!process.env.DOCKERIZED;
 const isCI = !!process.env.CI;
 const isSilent = isCI || process.argv.some((arg) => /quiet/.test(arg));
+const isCspEnabled = false;
 
 process.env.NODE_ENV = isProduction ? 'production' : 'development';
 if (isTest) {
@@ -107,7 +109,7 @@ const webpackConfig = {
         'react/addons': true
     } : {},
 
-    devtool: 'cheap-module-eval-source-map',
+    devtool: 'cheap-module-source-map',
 
     plugins: [
         new webpack.DefinePlugin({
@@ -131,7 +133,8 @@ const webpackConfig = {
             inject: false,
             minify: {
                 collapseWhitespace: isProduction
-            }
+            },
+            isCspEnabled,
         }),
         new SitemapPlugin('https://account.ely.by', [
             '/',
@@ -314,6 +317,25 @@ if (!isProduction && !isTest) {
     }
 }
 
+if (isCspEnabled) {
+    webpackConfig.plugins.push(new CSPPlugin({
+        'default-src': '\'none\'',
+        'style-src': ['\'self\'', '\'unsafe-inline\''],
+        'script-src': [
+            '\'self\'',
+            '\'unsafe-inline\'',
+            'https://www.google-analytics.com',
+            'https://www.google.com/recaptcha/',
+            'https://www.gstatic.com/recaptcha/',
+        ],
+        'img-src': ['\'self\'', 'data:', 'www.google-analytics.com'],
+        'font-src': ['\'self\'', 'data:'],
+        'connect-src': isProduction ? ['\'self\''] : ['\'self\'', 'ws://localhost:8080'],
+        'frame-src': ['https://www.google.com/recaptcha/'],
+        'report-uri': 'https://sentry.ely.by/api/2/csp-report/?sentry_key=088e7718236a4f91937a81fb319a93f6',
+    }));
+}
+
 if (isDockerized) {
     webpackConfig.watchOptions = {
         poll: 2000

yarn.lock

@@ -1482,7 +1482,7 @@ check-node-version@^2.1.0:
     run-parallel "^1.1.4"
     semver "^5.0.3"
 
-cheerio@^0.22.0:
+cheerio@0.22.0, cheerio@^0.22.0:
   version "0.22.0"
   resolved "https://registry.yarnpkg.com/cheerio/-/cheerio-0.22.0.tgz#a9baa860a3f9b595a6b81b1a86873121ed3a269e"
   dependencies:
@@ -1861,6 +1861,13 @@ crypto-browserify@3.3.0:
     ripemd160 "0.2.0"
     sha.js "2.2.6"
 
+csp-webpack-plugin@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/csp-webpack-plugin/-/csp-webpack-plugin-1.0.2.tgz#171cb7af8061ac5c339d0368d6de7596dc218cfb"
+  dependencies:
+    cheerio "0.22.0"
+    lodash "^4.17.4"
+
 css-color-names@0.0.4:
   version "0.0.4"
   resolved "https://registry.yarnpkg.com/css-color-names/-/css-color-names-0.0.4.tgz#808adc2e79cf84738069b646cb20ec27beb629e0"