From e933004daff092976d00827dbe8f229fb0a7902b Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Tue, 26 Jan 2021 16:39:50 +0100 Subject: [PATCH] Fix CSP issues in production Signed-off-by: Thomas Citharel --- js/src/main.ts | 1 + js/vue.config.js | 10 +++++++--- js/yarn.lock | 6 +++--- lib/web/plugs/http_security_plug.ex | 11 +++-------- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/js/src/main.ts b/js/src/main.ts index 125100ad7..2ace9af59 100644 --- a/js/src/main.ts +++ b/js/src/main.ts @@ -37,5 +37,6 @@ new Vue({ el: "#app", template: "", components: { App }, + render: (h) => h(App), i18n, }); diff --git a/js/vue.config.js b/js/vue.config.js index 4ac29a74f..cacda4b92 100644 --- a/js/vue.config.js +++ b/js/vue.config.js @@ -1,10 +1,8 @@ const path = require("path"); const ForkTsCheckerWebpackPlugin = require("fork-ts-checker-webpack-plugin"); +const webpack = require("webpack"); module.exports = { - runtimeCompiler: true, - filenameHashing: true, - productionSourceMap: false, outputDir: path.resolve(__dirname, "../priv/static"), configureWebpack: (config) => { // Limit the used memory when building @@ -26,6 +24,12 @@ module.exports = { forkTsCheckerOptions.memoryLimit = process.env.NODE_BUILD_MEMORY || 2048; config.plugins.push(new ForkTsCheckerWebpackPlugin(forkTsCheckerOptions)); + config.plugins.push( + new webpack.DefinePlugin({ + global: "window", // Placeholder for global used in any node_modules + }) + ); + config.node.global = false; }, chainWebpack: (config) => { // remove the prefetch plugin diff --git a/js/yarn.lock b/js/yarn.lock index 3107e8acb..9a9d5cfb3 100644 --- a/js/yarn.lock +++ b/js/yarn.lock @@ -12399,9 +12399,9 @@ vue-resize@^1.0.0: integrity sha512-SkIi19neeJClapYavfmHiewFZkkTfITVWskg/dIL8b1Eb+RlvnCb8fjGUwLjQJmsw2qsRiiAo4o7BAJVM4pcOA== vue-router@^3.1.6: - version "3.5.0" - resolved "https://registry.yarnpkg.com/vue-router/-/vue-router-3.5.0.tgz#ae49da16a2939f8d28d66d5784b14167d661192f" - integrity sha512-QYrPzHMJiJCq20ezhlGok+NbrmjzhQDG6pnpJaD14Eg3NvT07s3acYz2ktxJ7vGHd/Ts4TgG9Tt8a2PA+Js5fw== + version "3.5.1" + resolved "https://registry.yarnpkg.com/vue-router/-/vue-router-3.5.1.tgz#edf3cf4907952d1e0583e079237220c5ff6eb6c9" + integrity sha512-RRQNLT8Mzr8z7eL4p7BtKvRaTSGdCbTy2+Mm5HTJvLGYSSeG9gDzNasJPP/yOYKLy+/cLG/ftrqq5fvkFwBJEw== vue-scrollto@^2.17.1: version "2.20.0" diff --git a/lib/web/plugs/http_security_plug.ex b/lib/web/plugs/http_security_plug.ex index 8a5f2161d..f66cb9aa3 100644 --- a/lib/web/plugs/http_security_plug.ex +++ b/lib/web/plugs/http_security_plug.ex @@ -60,19 +60,14 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do if Config.get(:env) == :dev do "script-src 'self' 'unsafe-eval' 'unsafe-inline' " else - "script-src 'self' " + "script-src 'self' 'unsafe-eval' 'sha256-4RS22DYeB7U14dra4KcQYxmwt5HkOInieXK1NUMBmQI=' " end script_src = [script_src] ++ Config.get([:http_security, :csp_policy, :script_src]) style_src = - if Config.get(:env) == :dev do - "style-src 'self' 'unsafe-inline' " - else - "style-src 'self' " - end - - style_src = [style_src] ++ Config.get([:http_security, :csp_policy, :style_src]) + ["style-src 'self' 'unsafe-inline' "] ++ + Config.get([:http_security, :csp_policy, :style_src]) font_src = ["font-src 'self' "] ++ Config.get([:http_security, :csp_policy, :font_src])