oasis/src/http.js


const Koa = require('koa')
const koaStatic = require('koa-static')
const path = require('path')
const mount = require('koa-mount')

module.exports = ({ host, port, routes }) => {
  const assets = new Koa()
  assets.use(koaStatic(path.join(__dirname, 'assets')))

  const app = new Koa()
  module.exports = app

  app.on('error', (e) => {
    // Output full error objects
    e.message = e.stack
    e.expose = true
    return null
  })

  app.use(mount('/assets', assets))

  // headers
  app.use(async (ctx, next) => {
    await next()

    const csp = [
      'default-src \'none\'',
      'img-src \'self\'',
      'form-action \'self\'',
      'media-src \'self\'',
      'style-src \'self\' \'unsafe-inline\''
    ].join('; ')

    // Disallow scripts.
    ctx.set('Content-Security-Policy', csp)

    // Disallow <iframe> embeds from other domains.
    ctx.set('X-Frame-Options', 'SAMEORIGIN')

    // Disallow browsers overwriting declared media types.
    ctx.set('X-Content-Type-Options', 'nosniff')

    // Disallow sharing referrer with other domains.
    ctx.set('Referrer-Policy', 'same-origin')

    // Disallow extra browser features except audio output.
    ctx.set('Feature-Policy', 'speaker \'self\'')

    if (ctx.method !== 'GET') {
      const referer = ctx.request.header.referer
      ctx.assert(referer != null, `HTTP ${ctx.method} must include referer`)
      const refererUrl = new URL(referer)
      const isBlobUrl = refererUrl.pathname.startsWith('/blob/')
      ctx.assert(isBlobUrl === false, `HTTP ${ctx.method} from blob URL not allowed`)
    }
  })
  app.use(routes)
  app.listen({ host, port })
}
Change src directory to use mediator pattern 2020-01-08 16:37:52 +00:00
			`const Koa = require('koa')`
			`const koaStatic = require('koa-static')`
			`const path = require('path')`
			`const mount = require('koa-mount')`

			`module.exports = ({ host, port, routes }) => {`
			`const assets = new Koa()`
			`assets.use(koaStatic(path.join(__dirname, 'assets')))`

			`const app = new Koa()`
			`module.exports = app`

			`app.on('error', (e) => {`
			`// Output full error objects`
			`e.message = e.stack`
			`e.expose = true`
			`return null`
			`})`

			`app.use(mount('/assets', assets))`

			`// headers`
			`app.use(async (ctx, next) => {`
			`await next()`

			`const csp = [`
			`'default-src \'none\'',`
			`'img-src \'self\'',`
			`'form-action \'self\'',`
			`'media-src \'self\'',`
			`'style-src \'self\' \'unsafe-inline\''`
			`].join('; ')`

			`// Disallow scripts.`
			`ctx.set('Content-Security-Policy', csp)`

			`// Disallow <iframe> embeds from other domains.`
			`ctx.set('X-Frame-Options', 'SAMEORIGIN')`

			`// Disallow browsers overwriting declared media types.`
			`ctx.set('X-Content-Type-Options', 'nosniff')`

			`// Disallow sharing referrer with other domains.`
			`ctx.set('Referrer-Policy', 'same-origin')`

			`// Disallow extra browser features except audio output.`
			`ctx.set('Feature-Policy', 'speaker \'self\'')`

			`if (ctx.method !== 'GET') {`
			`const referer = ctx.request.header.referer`
			ctx.assert(referer != null, `HTTP ${ctx.method} must include referer`)
			`const refererUrl = new URL(referer)`
			`const isBlobUrl = refererUrl.pathname.startsWith('/blob/')`
			ctx.assert(isBlobUrl === false, `HTTP ${ctx.method} from blob URL not allowed`)
			`}`
			`})`
			`app.use(routes)`
			`app.listen({ host, port })`
			`}`