From e2876b119d046d60b614e0be364ac4919a8d0424 Mon Sep 17 00:00:00 2001
From: jackyzy823 <jackyzy823@gmail.com>
Date: Thu, 11 Jun 2020 21:57:48 +0800
Subject: [PATCH] add configs to handle content-security-policy correctly for
 custom fxa urls

---
 server/config.js       | 20 ++++++++++++++++++++
 server/routes/index.js | 24 +++++++++++++++++++++---
 2 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/server/config.js b/server/config.js
index 72b750ea..d212d902 100644
--- a/server/config.js
+++ b/server/config.js
@@ -145,6 +145,26 @@ const conf = convict({
     default: 'https://identity.mozilla.com/apps/send',
     env: 'FXA_KEY_SCOPE'
   },
+  fxa_csp_oauth_url: {
+    format: String,
+    default: '',
+    env: 'FXA_CSP_OAUTH_URL'
+  },
+  fxa_csp_content_url: {
+    format: String,
+    default: '',
+    env: 'FXA_CSP_CONTENT_URL'
+  },
+  fxa_csp_profile_url: {
+    format: String,
+    default: '',
+    env: 'FXA_CSP_PROFILE_URL'
+  },
+  fxa_csp_profileimage_url: {
+    format: String,
+    default: '',
+    env: 'FXA_CSP_PROFILEIMAGE_URL'
+  },
   survey_url: {
     format: String,
     default: '',
diff --git a/server/routes/index.js b/server/routes/index.js
index 05759815..cb99f141 100644
--- a/server/routes/index.js
+++ b/server/routes/index.js
@@ -31,8 +31,7 @@ module.exports = function(app) {
     next();
   });
   if (!IS_DEV) {
-    app.use(
-      helmet.contentSecurityPolicy({
+    let csp = {
         directives: {
           defaultSrc: ["'self'"],
           connectSrc: [
@@ -62,9 +61,28 @@ module.exports = function(app) {
           objectSrc: ["'none'"],
           reportUri: '/__cspreport__'
         }
-      })
+      }
+
+    csp.directives.connectSrc.push(config.base_url.replace(/^https:\/\//,'wss://'))
+    if(config.fxa_csp_oauth_url != ""){
+      csp.directives.connectSrc.push(config.fxa_csp_oauth_url)
+    }
+    if(config.fxa_csp_content_url != "" ){
+      csp.directives.connectSrc.push(config.fxa_csp_content_url)
+    }
+    if(config.fxa_csp_profile_url != "" ){
+      csp.directives.connectSrc.push(config.fxa_csp_profile_url)
+    }
+    if(config.fxa_csp_profileimage_url != ""){
+      csp.directives.imgSrc.push(config.fxa_csp_profileimage_url)
+    }
+
+
+    app.use(
+      helmet.contentSecurityPolicy(csp)
     );
   }
+
   app.use(function(req, res, next) {
     res.set('Pragma', 'no-cache');
     res.set(