From bf354a0a3d87598ea27c2e477a03d62715405fe3 Mon Sep 17 00:00:00 2001
From: ErickSkrauch <erickskrauch@yandex.ru>
Date: Sun, 31 Dec 2017 15:28:31 +0300
Subject: [PATCH] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5?=
 =?UTF-8?q?=D0=BD=D1=8B=20=D0=B7=D0=B0=D0=B3=D0=BE=D0=BB=D0=BE=D0=B2=D0=BA?=
 =?UTF-8?q?=D0=B8=20=D0=B1=D0=B5=D0=B7=D0=BE=D0=BF=D0=B0=D1=81=D0=BD=D0=BE?=
 =?UTF-8?q?=D1=81=D1=82=D0=B8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 package.json      |  1 +
 src/index.ejs     |  3 +++
 webpack.config.js | 26 ++++++++++++++++++++++++--
 yarn.lock         |  9 ++++++++-
 4 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/package.json b/package.json
index 95ae608..7f190f3 100644
--- a/package.json
+++ b/package.json
@@ -70,6 +70,7 @@
     "babel-runtime": "^6.0.0",
     "bundle-loader": "^0.5.4",
     "check-node-version": "^2.1.0",
+    "csp-webpack-plugin": "^1.0.2",
     "css-loader": "^0.28.0",
     "enzyme": "^2.2.0",
     "eslint": "^4.0.0",
diff --git a/src/index.ejs b/src/index.ejs
index 4be4a53..36579f9 100644
--- a/src/index.ejs
+++ b/src/index.ejs
@@ -6,6 +6,9 @@
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="msapplication-tap-highlight" content="no">
     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1.0, user-scalable=no">
+    <% if (htmlWebpackPlugin.options.isCspEnabled) { %>
+        <meta http-equiv="Content-Security-Policy" content="%%CSP_CONTENT%%">
+    <% } %>
 
     <% if (htmlWebpackPlugin.files.favicon) { %>
         <link rel="shortcut icon" href="<%= htmlWebpackPlugin.files.favicon %>">
diff --git a/webpack.config.js b/webpack.config.js
index b87242a..4721742 100644
--- a/webpack.config.js
+++ b/webpack.config.js
@@ -11,6 +11,7 @@ const HtmlWebpackPlugin = require('html-webpack-plugin');
 const cssUrl = require('webpack-utils/cssUrl');
 const cssImport = require('postcss-import');
 const SitemapPlugin = require('sitemap-webpack-plugin').default;
+const CSPPlugin = require('csp-webpack-plugin');
 const localeFlags = require('./src/components/i18n/localeFlags').default;
 
 const SUPPORTED_LANGUAGES = Object.keys(require('./src/i18n/index.json'));
@@ -46,6 +47,7 @@ const isTest = process.argv.some((arg) => arg.indexOf('karma') !== -1);
 const isDockerized = !!process.env.DOCKERIZED;
 const isCI = !!process.env.CI;
 const isSilent = isCI || process.argv.some((arg) => /quiet/.test(arg));
+const isCspEnabled = false;
 
 process.env.NODE_ENV = isProduction ? 'production' : 'development';
 if (isTest) {
@@ -107,7 +109,7 @@ const webpackConfig = {
         'react/addons': true
     } : {},
 
-    devtool: 'cheap-module-eval-source-map',
+    devtool: 'cheap-module-source-map',
 
     plugins: [
         new webpack.DefinePlugin({
@@ -131,7 +133,8 @@ const webpackConfig = {
             inject: false,
             minify: {
                 collapseWhitespace: isProduction
-            }
+            },
+            isCspEnabled,
         }),
         new SitemapPlugin('https://account.ely.by', [
             '/',
@@ -314,6 +317,25 @@ if (!isProduction && !isTest) {
     }
 }
 
+if (isCspEnabled) {
+    webpackConfig.plugins.push(new CSPPlugin({
+        'default-src': '\'none\'',
+        'style-src': ['\'self\'', '\'unsafe-inline\''],
+        'script-src': [
+            '\'self\'',
+            '\'unsafe-inline\'',
+            'https://www.google-analytics.com',
+            'https://www.google.com/recaptcha/',
+            'https://www.gstatic.com/recaptcha/',
+        ],
+        'img-src': ['\'self\'', 'data:', 'www.google-analytics.com'],
+        'font-src': ['\'self\'', 'data:'],
+        'connect-src': isProduction ? ['\'self\''] : ['\'self\'', 'ws://localhost:8080'],
+        'frame-src': ['https://www.google.com/recaptcha/'],
+        'report-uri': 'https://sentry.ely.by/api/2/csp-report/?sentry_key=088e7718236a4f91937a81fb319a93f6',
+    }));
+}
+
 if (isDockerized) {
     webpackConfig.watchOptions = {
         poll: 2000
diff --git a/yarn.lock b/yarn.lock
index 7f0cde4..88aabdc 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1482,7 +1482,7 @@ check-node-version@^2.1.0:
     run-parallel "^1.1.4"
     semver "^5.0.3"
 
-cheerio@^0.22.0:
+cheerio@0.22.0, cheerio@^0.22.0:
   version "0.22.0"
   resolved "https://registry.yarnpkg.com/cheerio/-/cheerio-0.22.0.tgz#a9baa860a3f9b595a6b81b1a86873121ed3a269e"
   dependencies:
@@ -1861,6 +1861,13 @@ crypto-browserify@3.3.0:
     ripemd160 "0.2.0"
     sha.js "2.2.6"
 
+csp-webpack-plugin@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/csp-webpack-plugin/-/csp-webpack-plugin-1.0.2.tgz#171cb7af8061ac5c339d0368d6de7596dc218cfb"
+  dependencies:
+    cheerio "0.22.0"
+    lodash "^4.17.4"
+
 css-color-names@0.0.4:
   version "0.0.4"
   resolved "https://registry.yarnpkg.com/css-color-names/-/css-color-names-0.0.4.tgz#808adc2e79cf84738069b646cb20ec27beb629e0"