Skip to content

Commit

Permalink
fix: made CSP stricter in prod (#503)
Browse files Browse the repository at this point in the history 
* fix: made CSP stricter in prod

* fix: apparently you can't refactor things out as globals in vue.config.js? strange

* fix: fixed CSP in dev

* fix: simplified CSP template param
  • Loading branch information
@ErikBjare
ErikBjare authored Nov 19, 2023
1 parent d7c70b4 commit 35ad0ae
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 2 deletions.
3 changes: 2 additions & 1 deletion src/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@
<title>ActivityWatch</title>
<link rel="icon" type="image/png" href="/static/logo.png">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 127.0.0.1:5600 127.0.0.1:5666 localhost:5666 *:27180 ws://*:27180 https://api.github.com/repos/ActivityWatch/activitywatch/releases/latest; img-src 'self' data:; font-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none'; script-src 'self' 'unsafe-eval'">
<!-- Verify with https://csp-evaluator.withgoogle.com/ -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' <%= htmlWebpackPlugin.options.templateParameters.cspDefaultSrc %> https://api.github.com/repos/ActivityWatch/activitywatch/releases/latest; img-src 'self' data:; font-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none'; script-src 'self' 'unsafe-eval'">
</head>
<body>
<noscript>
Expand Down
5 changes: 4 additions & 1 deletion vue.config.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ module.exports = {
index: {
entry: './src/main.js',
template: './src/index.html',
templateParameters: {
cspDefaultSrc: process.env.NODE_ENV === 'production' ? '' : '*:5600 *:5666 ws://*:27180',
},
},
},
chainWebpack: config => {
Expand All @@ -40,8 +43,8 @@ module.exports = {
plugins: [
new webpack.IgnorePlugin({ resourceRegExp: /^\.\/locale$/, contextRegExp: /moment$/ }),
new webpack.DefinePlugin({
AW_SERVER_URL: process.env.AW_SERVER_URL,
PRODUCTION: process.env.NODE_ENV === 'production',
AW_SERVER_URL: process.env.AW_SERVER_URL,
COMMIT_HASH: JSON.stringify(_COMMIT_HASH),
}),
new CopyWebpackPlugin([{ from: 'static/', to: 'static' }]),
Expand Down

1 comment on commit 35ad0ae

@github-actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here are screenshots of this commit:

Screenshots using aw-server v0.12.3b11 (click to expand)

Screenshots using aw-server-rust master (click to expand)

Screenshots using aw-server-rust v0.12.3b11 (click to expand)

Please sign in to comment.