From 707c22dac7a8566af3a9bd22a5da080ab909bff7 Mon Sep 17 00:00:00 2001
From: Robbie Antenesse <dev@alamantus.com>
Date: Mon, 24 Aug 2020 11:25:45 -0600
Subject: [PATCH] Fix CSP to allow content from required domains

---
 server/index.js | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/server/index.js b/server/index.js
index d82ccce..8d8e49c 100644
--- a/server/index.js
+++ b/server/index.js
@@ -15,7 +15,21 @@ const fastify = require('fastify')({
   logger: process.env.NODE_ENV !== 'production',
 });
 fastify.decorate('siteConfig', siteConfig); // Insert siteConfig into global fastify instance
-fastify.register(require('fastify-helmet'));  // Add security stuff
+fastify.register(require('fastify-helmet'), {  // Add security stuff
+  contentSecurityPolicy: {  // Modify Content Security Policy headers to allow content from specific domains
+    directives: {
+      'default-src': ["'self'"],  // Default value
+      'base-uri': ["'self'"],  // Default value
+      'block-all-mixed-content': [],  // Default value
+      'frame-ancestors': ["'self'"],  // Default value
+      'style-src': ["'self'", "https: 'unsafe-inline'"],  // Default value
+      'upgrade-insecure-requests': [],  // Default value
+      'object-src': ["'none'"],  // Default value
+      'script-src': ["'self'", 'polyfill.io', "https: 'unsafe-inline'"],  // Allow loading scripts inline (required for Choo) and from polyfill.io
+      'img-src': ["'self'", siteConfig.inventaireDomain, 'openlibrary.org', 'covers.openlibrary.org', "data:"], // Allow images from Inventaire, Open Library, and raw `data:` hashes
+    }
+  }
+});
 fastify.register(require('fastify-compress'));  // Compress output data for smaller packet delivery
 fastify.register(require('fastify-static'), { // Enable delivering static content efficiently
   root: path.resolve(__dirname, '../public'), // all static content will be delivered from the public/ folder