coop-cloud-chaos-patchs/outline
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

chore: Add Timing-Allow-Origin header (#1860)

Browse Source
This commit is contained in:
Tom Moor
2021-02-01 21:13:44 -08:00
committed by GitHub
parent a9d60d288e
commit 334dce7984
3 changed files with 40 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
server/app.js
View File

@ -29,7 +29,6 @@ const scriptSrc = [
"'unsafe-inline'", "'unsafe-inline'",
"'unsafe-eval'", "'unsafe-eval'",
"gist.github.com", "gist.github.com",
"browser.sentry-cdn.com",
]; ];
if (env.GOOGLE_ANALYTICS_ID) { if (env.GOOGLE_ANALYTICS_ID) {
@ -122,8 +121,8 @@ if (process.env.SENTRY_DSN) {
maxBreadcrumbs: 0, maxBreadcrumbs: 0,
ignoreErrors: [ ignoreErrors: [
// emitted by Koa when bots attempt to snoop on paths such as wp-admin // emitted by Koa when bots attempt to snoop on paths such as wp-admin
// or the user submits a bad request. These are expected in normal running // or the user client submits a bad request. These are expected in normal
// of the application // running of the application and don't need to be reported.
"BadRequestError", "BadRequestError",
"UnauthorizedError", "UnauthorizedError",
], ],
@ -168,6 +167,8 @@ app.on("error", (error, ctx) => {
app.use(mount("/auth", auth)); app.use(mount("/auth", auth));
app.use(mount("/api", api)); app.use(mount("/api", api));
// Sets common security headers by default, such as no-sniff, hsts, hide powered
// by etc
app.use(helmet()); app.use(helmet());
app.use( app.use(
contentSecurityPolicy({ contentSecurityPolicy({
@ -178,18 +179,14 @@ app.use(
imgSrc: ["*", "data:", "blob:"], imgSrc: ["*", "data:", "blob:"],
frameSrc: ["*"], frameSrc: ["*"],
connectSrc: ["*"], connectSrc: ["*"],
// Removed because connect-src: self + websockets does not work in Safari // Do not use connect-src: because self + websockets does not work in
// Ref: https://bugs.webkit.org/show_bug.cgi?id=201591 // Safari, ref: https://bugs.webkit.org/show_bug.cgi?id=201591
// connectSrc: compact([
// "'self'",
// process.env.AWS_S3_UPLOAD_BUCKET_URL.replace("s3:", "localhost:"),
// "www.google-analytics.com",
// "api.github.com",
// "sentry.io",
// ]),
}, },
}) })
); );
// Allow DNS prefetching for performance, we do not care about leaking requests
// to our own CDN's
app.use(dnsPrefetchControl({ allow: true })); app.use(dnsPrefetchControl({ allow: true }));
app.use(referrerPolicy({ policy: "no-referrer" })); app.use(referrerPolicy({ policy: "no-referrer" }));
app.use(mount(routes)); app.use(mount(routes));

22
server/routes.js
View File

@ -7,7 +7,7 @@ import Router from "koa-router";
import sendfile from "koa-sendfile"; import sendfile from "koa-sendfile";
import serve from "koa-static"; import serve from "koa-static";
import { languages } from "../shared/i18n"; import { languages } from "../shared/i18n";
import environment from "./env"; import env from "./env";
import apexRedirect from "./middlewares/apexRedirect"; import apexRedirect from "./middlewares/apexRedirect";
import { opensearchResponse } from "./utils/opensearch"; import { opensearchResponse } from "./utils/opensearch";
import prefetchTags from "./utils/prefetchTags"; import prefetchTags from "./utils/prefetchTags";
@ -45,12 +45,12 @@ const renderApp = async (ctx, next) => {
} }
const page = await readIndexFile(ctx); const page = await readIndexFile(ctx);
const env = ` const environment = `
window.env = ${JSON.stringify(environment)}; window.env = ${JSON.stringify(env)};
`; `;
ctx.body = page ctx.body = page
.toString() .toString()
.replace(/\/\/inject-env\/\//g, env) .replace(/\/\/inject-env\/\//g, environment)
.replace(/\/\/inject-prefetch\/\//g, prefetchTags) .replace(/\/\/inject-prefetch\/\//g, prefetchTags)
.replace(/\/\/inject-slack-app-id\/\//g, process.env.SLACK_APP_ID || ""); .replace(/\/\/inject-slack-app-id\/\//g, process.env.SLACK_APP_ID || "");
}; };
@ -111,7 +111,19 @@ router.get("/share/*", (ctx, next) => {
// catch all for application // catch all for application
router.get("*", renderApp); router.get("*", renderApp);
// middleware // In order to report all possible performance metrics to Sentry this header
// must be provided when serving the application, see:
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
const timingOrigins = [env.URL];
if (env.SENTRY_DSN) {
timingOrigins.push("https://sentry.io");
}
koa.use(async (ctx, next) => {
ctx.set("Timing-Allow-Origin", timingOrigins.join(", "));
await next();
});
koa.use(apexRedirect()); koa.use(apexRedirect());
koa.use(router.routes()); koa.use(router.routes());

22
server/utils/prefetchTags.js
View File

@ -28,6 +28,7 @@ try {
// no-op // no-op
} }
let index = 0;
Object.values(manifestData).forEach((filename) => { Object.values(manifestData).forEach((filename) => {
if (typeof filename !== "string") return; if (typeof filename !== "string") return;
if (!env.CDN_URL) return; if (!env.CDN_URL) return;
@ -40,14 +41,19 @@ Object.values(manifestData).forEach((filename) => {
filename.includes("/runtime") || filename.includes("/runtime") ||
filename.includes("/vendors"); filename.includes("/vendors");
prefetchTags.push( // only prefetch the first few javascript chunks or it gets out of hand fast
<link const shouldPrefetch = ++index <= 6;
rel={shouldPreload ? "preload" : "prefetch"}
href={filename} if (shouldPreload || shouldPrefetch) {
key={filename} prefetchTags.push(
as="script" <link
/> rel={shouldPreload ? "preload" : "prefetch"}
); href={filename}
key={filename}
as="script"
/>
);
}
} else if (filename.endsWith(".css")) { } else if (filename.endsWith(".css")) {
prefetchTags.push( prefetchTags.push(
<link rel="prefetch" href={filename} key={filename} as="style" /> <link rel="prefetch" href={filename} key={filename} as="style" />