-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcsp.js
31 lines (26 loc) · 1.03 KB
/
csp.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
const isDev = process.env.NODE_ENV === 'development';
const YOUTUBE = 'www.youtube.com';
const ASSETS_STORAGE = 'https://storage.yandexcloud.net';
const policiesConfig = {
'default-src': ["'self'"],
'script-src': ["'self'", "'unsafe-inline'", isDev ? "'unsafe-eval'" : ''],
'script-src-elem': ["'self'", "'unsafe-inline'"],
'style-src': ["'self'", "'unsafe-inline'"],
'object-src': ["'self'", 'data:'],
'style-src-elem': ["'self'", "'unsafe-inline'"],
'style-src-attr': ["'self'", "'unsafe-inline'"],
'img-src': ["'self'", ASSETS_STORAGE, 'data:'],
'font-src': ["'self'"],
'child-src': ["'self'", YOUTUBE],
'frame-src': ["'self'", YOUTUBE],
'frame-ancestors': ["'self'"],
'connect-src': ["'self'"],
};
const getCSP = (config) =>
Object.entries(config)
.map(([name, values]) => {
const policies = values.map((v) => (Array.isArray(v) ? v.join(' ') : v)).join(' ');
return `${name} ${policies};`;
})
.join(' ');
module.exports = getCSP(policiesConfig);