diff --git a/packages/sui-ssr/hooks-types.js b/packages/sui-ssr/hooks-types.js index cff882b09..093e0c6bb 100644 --- a/packages/sui-ssr/hooks-types.js +++ b/packages/sui-ssr/hooks-types.js @@ -7,6 +7,7 @@ export default { PRE_HEALTH: 'pre_health', SETUP_CONTEXT: 'setup_context', PRE_SSR_HANDLER: 'pre_ssr_handler', + CSP_REPORT: 'csp-report', PRE_STATIC_PUBLIC: 'pre_static_public', ROUTE_MATCHING: 'route_matching' } diff --git a/packages/sui-ssr/server/hooksFactory/index.js b/packages/sui-ssr/server/hooksFactory/index.js index c0cb04882..a21b170d9 100644 --- a/packages/sui-ssr/server/hooksFactory/index.js +++ b/packages/sui-ssr/server/hooksFactory/index.js @@ -114,6 +114,8 @@ export const hooksFactory = async () => { return next() }, [TYPES.LOGGING]: NULL_MDWL, + [TYPES.CSP_REPORT]: (req, res) => + res.status(200).json({message: 'Tracking disabled'}), [TYPES.PRE_STATIC_PUBLIC]: NULL_MDWL, [TYPES.SETUP_CONTEXT]: async (req, res, next) => { const startContextCreationTime = process.hrtime() diff --git a/packages/sui-ssr/server/index.js b/packages/sui-ssr/server/index.js index e234697cc..9eed1cae9 100644 --- a/packages/sui-ssr/server/index.js +++ b/packages/sui-ssr/server/index.js @@ -1,4 +1,5 @@ /* eslint no-console:0 */ +import bodyParser from 'body-parser' import compression from 'compression' import express from 'express' import basicAuth from 'express-basic-auth' @@ -56,6 +57,13 @@ const _memoizedHtmlTemplatesMapping = {} app.use(hooks[TYPES.ROUTE_MATCHING]) app.use(hooks[TYPES.LOGGING]) + + app.post( + `/${TYPES.CSP_REPORT}`, + bodyParser.json({type: 'application/csp-report'}), + hooks[TYPES.CSP_REPORT] + ) + runningUnderAuth && app.use(basicAuth(AUTH_DEFINITION)) app.use(express.static('statics')) diff --git a/packages/sui-ssr/server/middlewares/ssr.js b/packages/sui-ssr/server/middlewares/ssr.js index f639fb059..4c77007f5 100644 --- a/packages/sui-ssr/server/middlewares/ssr.js +++ b/packages/sui-ssr/server/middlewares/ssr.js @@ -37,6 +37,8 @@ try { const HEAD_OPENING_TAG = '' const HEAD_CLOSING_TAG = '' +const CSP_REPORT_PATH = '/csp-report' + const formatServerTimingHeader = metrics => Object.entries(metrics) .reduce((acc, [name, value]) => `${acc}${name};dur=${value},`, '') @@ -206,7 +208,8 @@ export default async (req, res, next) => { 'Server-Timing': formatServerTimingHeader({ ...performance, ...ssrPerformance - }) + }), + 'Content-Security-Policy-Report-Only': `default-src 'self'; report-uri ${CSP_REPORT_PATH}` }) res.write(HtmlBuilder.buildHead({headTplPart, headString, htmlAttributes})) res.flush()