disable CSP for /report.html (#151)

* disable CSP for /report.html Fixes #150 * enable minimal helmet() for debug paths
2018-04-17 18:38:14 -07:00 · 2018-04-17 18:38:14 -07:00 · 4b2e3f030a
parent 61b3b9ea75
commit 4b2e3f030a
1 changed files with 20 additions and 5 deletions
--- a/server.js
+++ b/server.js
@ -12,13 +12,27 @@ const { PORT = 4002 } = process.env
 // this allows us to do e.g. `fetch('/_api/blog')` on the server
 const fetch = require('node-fetch')
 global.fetch = (url, opts) => {
-  if (url[0] === '/') url = `http://localhost:${PORT}${url}`
+  if (url[0] === '/') {
+    url = `http://localhost:${PORT}${url}`
+  }
  return fetch(url, opts)
 }

+const debugPaths = ['/report.html', '/stats.json']
+
+const debugOnly = (fn) => (req, res, next) => (
+  !~debugPaths.indexOf(req.path) ? next() : fn(req, res, next)
+)
+
+const nonDebugOnly = (fn) => (req, res, next) => (
+  ~debugPaths.indexOf(req.path) ? next() : fn(req, res, next)
+)
+
 app.use(compression({ threshold: 0 }))

-app.use(helmet({
+// report.html needs to have CSP disable because it has inline scripts
+app.use(debugOnly(helmet()))
+app.use(nonDebugOnly(helmet({
  contentSecurityPolicy: {
    directives: {
      scriptSrc: [`'self'`, `'sha256-${headScriptChecksum}'`],
@ -29,7 +43,7 @@ app.use(helmet({
      manifestSrc: [`'self'`]
    }
  }
-}))
+})))

 app.use(serveStatic('assets', {
  setHeaders: (res) => {
@ -37,8 +51,9 @@ app.use(serveStatic('assets', {
  }
 }))

-app.use('/report.html', express.static('.sapper/client/report.html'))
-app.use('/stats.json', express.static('.sapper/client/stats.json'))
+debugPaths.forEach(debugPath => {
+  app.use(debugPath, express.static(`.sapper/client${debugPath}`))
+})

 app.use(sapper())