npm package diff
Package: @forge/csp
Versions: 4.2.0-experimental-959d7b9 - 4.2.0-experimental-a6c1d53
File: package/out/csp/csp-injection-service.js
Index: package/out/csp/csp-injection-service.js
===================================================================
--- package/out/csp/csp-injection-service.js
+++ package/out/csp/csp-injection-service.js
@@ -2,9 +2,15 @@
Object.defineProperty(exports, "__esModule", { value: true });
exports.CSPInjectionService = exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS = exports.getAtlassianImageHost = void 0;
const types_1 = require("../types");
const isICEnvKey = (env) => env === 'ic-prod' || env === 'ic-stg';
-const getICDomain = (env, icLabel) => `${icLabel}.${env === 'ic-prod' ? 'atlassian-isolated.net' : 'oasis-stg.com'}`;
+const makeICDomain = (env, icLabel) => `${icLabel}.${env === 'ic-prod' ? 'atlassian-isolated.net' : 'oasis-stg.com'}`;
+const getICDomain = (env, icOptions) => {
+ if ('getICDomain' in icOptions) {
+ return icOptions.getICDomain();
+ }
+ return makeICDomain(env, icOptions.icLabel);
+};
const makeICHosts = (targetHostFunction) => {
return {
'ic-stg': (icOptions) => targetHostFunction('ic-stg', icOptions),
'ic-prod': (icOptions) => targetHostFunction('ic-prod', icOptions)
@@ -16,17 +22,17 @@
stg: 'https://api.stg.atlassian.com',
prod: 'https://api.atlassian.com',
'fedramp-stg': 'https://api.stg.atlassian-us-gov-mod.com',
'fedramp-prod': 'https://api.atlassian-us-gov-mod.com',
- ...makeICHosts((env, { icLabel }) => `https://api.${getICDomain(env, icLabel)}`)
+ ...makeICHosts((env, icOptions) => `https://api.${getICDomain(env, icOptions)}`)
},
ATLASSIAN_MEDIA_GATEWAY_HOST: {
dev: 'https://media.dev.atl-paas.net',
stg: 'https://media.staging.atl-paas.net',
prod: 'https://api.media.atlassian.com',
'fedramp-stg': 'https://api-media.stg.atlassian-us-gov-mod.com',
'fedramp-prod': 'https://api-media.atlassian-us-gov-mod.com',
- ...makeICHosts((env, { icLabel }) => `https://media-api.${getICDomain(env, icLabel)}`)
+ ...makeICHosts((env, icOptions) => `https://media-api.${getICDomain(env, icOptions)}`)
},
ATLASSIAN_AVATAR_HOST: {
dev: 'avatar-management--avatars.us-west-2.staging.public.atl-paas.net',
stg: 'avatar-management--avatars.us-west-2.staging.public.atl-paas.net',
@@ -41,25 +47,25 @@
stg: 'https://ptc-directory-sited-static.us-east-1.staging.public.atl-paas.net/gradients/',
prod: 'https://ptc-directory-sited-static.us-east-1.prod.public.atl-paas.net/gradients/',
'fedramp-stg': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/',
'fedramp-prod': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/',
- ...makeICHosts((env, { icLabel }) => `https://teams-directory-frontend.services.${getICDomain(env, icLabel)}/bfa/`)
+ ...makeICHosts((env, icOptions) => `https://teams-directory-frontend.services.${getICDomain(env, icOptions)}/bfa/`)
},
ATLASSIAN_TEAM_AVATAR_HOST: {
dev: 'https://teams-directory-frontend.stg-east.frontend.public.atl-paas.net/assets/',
stg: 'https://teams-directory-frontend.stg-east.frontend.public.atl-paas.net/assets/',
prod: 'https://teams-directory-frontend.prod-east.frontend.public.atl-paas.net/assets/',
'fedramp-stg': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/',
'fedramp-prod': 'https://teams-directory-frontend.frontend.cdn.atlassian-us-gov-mod.com/assets/',
- ...makeICHosts((env, { icLabel }) => `https://teams-directory-frontend.services.${getICDomain(env, icLabel)}/bfa/`)
+ ...makeICHosts((env, icOptions) => `https://teams-directory-frontend.services.${getICDomain(env, icOptions)}/bfa/`)
},
ATLASSIAN_EMOJIS_HOST: {
dev: 'https://pf-emoji-service--cdn.ap-southeast-2.dev.public.atl-paas.net',
stg: 'https://pf-emoji-service--cdn.us-east-1.staging.public.atl-paas.net',
prod: 'https://pf-emoji-service--cdn.us-east-1.prod.public.atl-paas.net',
'fedramp-stg': 'https://pf-emoji-service--cdn.us-east-1.staging.cdn.atlassian-us-gov-mod.com',
'fedramp-prod': 'https://pf-emoji-service--cdn.us-east-1.prod.cdn.atlassian-us-gov-mod.com',
- ...makeICHosts((env, { icLabel }) => `https://pf-emoji-service.${getICDomain(env, icLabel)}`)
+ ...makeICHosts((env, icOptions) => `https://pf-emoji-service.${getICDomain(env, icOptions)}`)
}
};
const getAtlassianHost = (hostType, microsEnv, icOptions) => {
const hostMap = ATLASSIAN_HOST[hostType];
@@ -84,30 +90,92 @@
};
exports.getAtlassianImageHost = getAtlassianImageHost;
exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS = ['https://secure.gravatar.com', 'https://images.unsplash.com'];
class CSPInjectionService {
+ constructor() {
+ this.getInjectableCSP = ({ existingCSPDetails, microsEnv, tunnelCSPReporterUri, hostname, isFedRAMP, icOptions }) => {
+ const reportUri = tunnelCSPReporterUri || this.getCSPReportUri(microsEnv, icOptions);
+ const defaultSrc = `'self'`;
+ const frameAncestors = ["'self'", ...this.getFrameAncestors(microsEnv, hostname, icOptions)].join(' ');
+ const frameSrc = ["'self'", hostname, ...this.getExistingCSPDetails(types_1.ExternalCspType.FRAME_SRC, existingCSPDetails)]
+ .filter((a) => a)
+ .join(' ');
+ const fontSrc = ["'self'", ...this.getExistingCSPDetails(types_1.ExternalCspType.FONT_SRC, existingCSPDetails)].join(' ');
+ const imgSrc = [
+ "'self'",
+ 'data:',
+ 'blob:',
+ hostname,
+ ...exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS,
+ ...(0, exports.getAtlassianImageHost)(microsEnv, icOptions),
+ ...this.getExistingCSPDetails(types_1.ExternalCspType.IMG_SRC, existingCSPDetails)
+ ]
+ .filter((a) => a)
+ .join(' ');
+ const mediaSrc = [
+ "'self'",
+ 'data:',
+ 'blob:',
+ hostname,
+ getAtlassianHost('ATLASSIAN_MEDIA_GATEWAY_HOST', microsEnv, icOptions),
+ ...this.getExistingCSPDetails(types_1.ExternalCspType.MEDIA_SRC, existingCSPDetails)
+ ]
+ .filter((a) => a)
+ .join(' ');
+ const connectSrc = [
+ "'self'",
+ ...this.getConnectSrc(microsEnv, !!tunnelCSPReporterUri, icOptions),
+ ...this.getExistingCSPDetails(types_1.ExternalCspType.CONNECT_SRC, existingCSPDetails)
+ ].join(' ');
+ const scriptSrc = [
+ "'self'",
+ this.getForgeGlobalCSP(microsEnv, isFedRAMP, icOptions),
+ ...this.getExistingCSPDetails(types_1.ExternalCspType.SCRIPT_SRC, existingCSPDetails)
+ ].join(' ');
+ const styleSrc = [
+ "'self'",
+ this.getForgeGlobalCSP(microsEnv, isFedRAMP, icOptions),
+ ...this.getExistingCSPDetails(types_1.ExternalCspType.STYLE_SRC, existingCSPDetails)
+ ].join(' ');
+ return [
+ `default-src ${defaultSrc}`,
+ `frame-ancestors ${frameAncestors}`,
+ `frame-src ${frameSrc}`,
+ `font-src ${fontSrc}`,
+ `img-src ${imgSrc}`,
+ `media-src ${mediaSrc}`,
+ `connect-src ${connectSrc}`,
+ `script-src ${scriptSrc}`,
+ `style-src ${styleSrc}`,
+ `form-action 'self'`,
+ `sandbox allow-downloads allow-forms allow-modals allow-pointer-lock allow-same-origin allow-scripts`,
+ `report-uri ${reportUri}`
+ ];
+ };
+ }
getCSPReportUri(microsEnv, icOptions) {
const serviceName = isICEnvKey(microsEnv) && icOptions ? icOptions.serviceName : 'forge-cdn';
if (microsEnv === 'dev' || microsEnv === 'stg')
return `https://web-security-reports.stg.services.atlassian.com/csp-report/${serviceName}`;
return `https://web-security-reports.services.atlassian.com/csp-report/${serviceName}`;
}
getForgeGlobalCSP(microsEnv, isFedRAMP = false, icOptions) {
if (isICEnvKey(microsEnv) && icOptions) {
- return `https://forge.forge-cdn.${getICDomain(microsEnv, icOptions.icLabel)}`;
+ return `https://forge.forge-cdn.${getICDomain(microsEnv, icOptions)}`;
}
return isFedRAMP
? `https://forge.cdn.${microsEnv.split('-')[1]}.atlassian-dev-us-gov-mod.net`
: `https://forge.cdn.${microsEnv}.atlassian-dev.net`;
}
getMetalClientCSP(microsEnv, icOptions) {
if (isICEnvKey(microsEnv) && icOptions) {
- return `https://api.${getICDomain(microsEnv, icOptions.icLabel)}/metal/ingest`;
+ return `https://api.${getICDomain(microsEnv, icOptions)}/metal/ingest`;
}
return `https://api.${microsEnv === 'prod' ? '' : 'stg.'}atlassian.com/metal/ingest`;
}
getExistingCSPDetails(cspType, cspDetails) {
- return cspDetails[cspType] ?? [];
+ var _a;
+ return (_a = cspDetails[cspType]) !== null && _a !== void 0 ? _a : [];
}
getConnectSrc(microsEnv, isTunnelling, icOptions) {
const allowed = [];
if (isTunnelling) {
@@ -141,9 +209,9 @@
break;
case 'ic-stg':
case 'ic-prod':
if (icOptions) {
- frameAncestors = [`*.${getICDomain(microsEnv, icOptions.icLabel)}`];
+ frameAncestors = [`*.${getICDomain(microsEnv, icOptions)}`];
}
break;
case 'prod':
default:
@@ -160,65 +228,6 @@
frameAncestors.push(hostname);
}
return frameAncestors;
}
- getInjectableCSP = ({ existingCSPDetails, microsEnv, tunnelCSPReporterUri, hostname, isFedRAMP, icOptions }) => {
- const reportUri = tunnelCSPReporterUri || this.getCSPReportUri(microsEnv, icOptions);
- const defaultSrc = `'self'`;
- const frameAncestors = ["'self'", ...this.getFrameAncestors(microsEnv, hostname, icOptions)].join(' ');
- const frameSrc = ["'self'", hostname, ...this.getExistingCSPDetails(types_1.ExternalCspType.FRAME_SRC, existingCSPDetails)]
- .filter((a) => a)
- .join(' ');
- const fontSrc = ["'self'", ...this.getExistingCSPDetails(types_1.ExternalCspType.FONT_SRC, existingCSPDetails)].join(' ');
- const imgSrc = [
- "'self'",
- 'data:',
- 'blob:',
- hostname,
- ...exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS,
- ...(0, exports.getAtlassianImageHost)(microsEnv, icOptions),
- ...this.getExistingCSPDetails(types_1.ExternalCspType.IMG_SRC, existingCSPDetails)
- ]
- .filter((a) => a)
- .join(' ');
- const mediaSrc = [
- "'self'",
- 'data:',
- 'blob:',
- hostname,
- getAtlassianHost('ATLASSIAN_MEDIA_GATEWAY_HOST', microsEnv, icOptions),
- ...this.getExistingCSPDetails(types_1.ExternalCspType.MEDIA_SRC, existingCSPDetails)
- ]
- .filter((a) => a)
- .join(' ');
- const connectSrc = [
- "'self'",
- ...this.getConnectSrc(microsEnv, !!tunnelCSPReporterUri, icOptions),
- ...this.getExistingCSPDetails(types_1.ExternalCspType.CONNECT_SRC, existingCSPDetails)
- ].join(' ');
- const scriptSrc = [
- "'self'",
- this.getForgeGlobalCSP(microsEnv, isFedRAMP, icOptions),
- ...this.getExistingCSPDetails(types_1.ExternalCspType.SCRIPT_SRC, existingCSPDetails)
- ].join(' ');
- const styleSrc = [
- "'self'",
- this.getForgeGlobalCSP(microsEnv, isFedRAMP, icOptions),
- ...this.getExistingCSPDetails(types_1.ExternalCspType.STYLE_SRC, existingCSPDetails)
- ].join(' ');
- return [
- `default-src ${defaultSrc}`,
- `frame-ancestors ${frameAncestors}`,
- `frame-src ${frameSrc}`,
- `font-src ${fontSrc}`,
- `img-src ${imgSrc}`,
- `media-src ${mediaSrc}`,
- `connect-src ${connectSrc}`,
- `script-src ${scriptSrc}`,
- `style-src ${styleSrc}`,
- `form-action 'self'`,
- `sandbox allow-downloads allow-forms allow-modals allow-pointer-lock allow-same-origin allow-scripts`,
- `report-uri ${reportUri}`
- ];
- };
}
exports.CSPInjectionService = CSPInjectionService;