From b1de49b5f1d71436b9f2696c5b0bc3a2c7bc2bb2 Mon Sep 17 00:00:00 2001 From: Chris McGee Date: Mon, 25 Nov 2024 17:30:46 -0500 Subject: [PATCH 1/2] [WEB-3294] only secure protocols for CSP sources --- server.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/server.js b/server.js index 880b6ca374..b2ddb0ec0d 100644 --- a/server.js +++ b/server.js @@ -86,7 +86,7 @@ app.use(nonceMiddleware, helmet.contentSecurityPolicy({ objectSrc: ['blob:'], workerSrc: ["'self'", 'blob:'], childSrc: ["'self'", 'blob:', 'https://docs.google.com', 'https://app.pendo.io'], - frameSrc: ['https://docs.google.com', 'https://app.pendo.io', '*.tidepool.org', 'localhost:*', 'tidepooluploader://*'], + frameSrc: ['https://docs.google.com', 'https://app.pendo.io', 'https://*.tidepool.org', 'localhost:*', 'tidepooluploader://*'], connectSrc: [].concat([ process.env.API_HOST || 'localhost:*', process.env.REALM_HOST, @@ -97,16 +97,16 @@ app.use(nonceMiddleware, helmet.contentSecurityPolicy({ 'wss://tidepoolsupport.zendesk.com', 'https://api.rollbar.com', 'wss://*.zopim.com', - '*.tidepool.org', - '*.development.tidepool.org', - '*.integration.tidepool.org', - 'http://*.integration-test.tidepool.org', + 'https://*.tidepool.org', + 'https://*.development.tidepool.org', + 'https://*.integration.tidepool.org', + 'https://*.integration-test.tidepool.org', 'https://app.pendo.io', 'https://data.pendo.io', 'https://pendo-static-5707274877534208.storage.googleapis.com', 'https://*.launchdarkly.com', ]).filter(src => src !== undefined), - frameAncestors: ['https://app.pendo.io', '*.tidepool.org', 'localhost:*'] + frameAncestors: ['https://app.pendo.io', 'https://*.tidepool.org', 'localhost:*'] }, reportOnly: false, })); From 5f21c6e63669f74823a17ac5624897a9546ccfff Mon Sep 17 00:00:00 2001 From: Chris McGee Date: Mon, 25 Nov 2024 17:31:24 -0500 Subject: [PATCH 2/2] [WEB-3294] lint/best practice updates --- server.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/server.js b/server.js index b2ddb0ec0d..453b3a6970 100644 --- a/server.js +++ b/server.js @@ -1,11 +1,11 @@ -const http = require('http'); -const https = require('https'); -const fs = require('fs'); -const path = require('path'); +const http = require('node:http'); +const https = require('node:https'); +const fs = require('node:fs'); +const path = require('node:path'); const express = require('express'); const helmet = require('helmet'); const bodyParser = require('body-parser'); -const crypto = require('crypto'); +const crypto = require('node:crypto'); const config = require('./config.server.js'); @@ -143,14 +143,14 @@ if (!(config.httpPort || config.httpsPort)) { if (config.httpPort) { app.server = http.createServer(app).listen(config.httpPort, () => { console.log('Connect server started on port', config.httpPort); - console.log('Serving static directory "' + staticDir + '/"'); + console.log(`Serving static directory "${staticDir}/"`); }); } if (config.httpsPort) { https.createServer(config.httpsConfig, app).listen(config.httpsPort, () => { console.log('Connect server started on HTTPS port', config.httpsPort); - console.log('Serving static directory "' + staticDir + '/"'); + console.log(`Serving static directory "${staticDir}/"`); }); }