@forge/csp

5.5.0-next.05.5.0-next.1
out/csp/csp-injection-service.js
~out/csp/csp-injection-service.jsModified
+13−7
Index: package/out/csp/csp-injection-service.js
===================================================================
--- package/out/csp/csp-injection-service.js
+++ package/out/csp/csp-injection-service.js
@@ -128,14 +128,14 @@
 exports.getAtlassianImageHost = getAtlassianImageHost;
 exports.EXTERNAL_ALLOW_LISTED_IMAGES_HOSTS = ['https://secure.gravatar.com', 'https://images.unsplash.com'];
 class CSPInjectionService {
     constructor() {
-        this.getInjectableCSP = ({ existingCSPDetails, microsEnv, tunnelCSPReporterUri, hostname, isFedRAMP, icOptions, macroParentHostDomain }) => {
+        this.getInjectableCSP = ({ existingCSPDetails, microsEnv, tunnelCSPReporterUri, hostname, isFedRAMP, icOptions, macroParentHost }) => {
             const reportUri = tunnelCSPReporterUri || this.getCSPReportUri(microsEnv, icOptions);
             const defaultSrc = ["'self'", ...getFOSHostDownload(microsEnv, icOptions)].join(' ');
             const frameAncestors = [
                 "'self'",
-                ...this.getFrameAncestors(microsEnv, hostname, icOptions, macroParentHostDomain),
+                ...this.getFrameAncestors(microsEnv, hostname, icOptions, macroParentHost),
                 ...getFOSHostDownload(microsEnv, icOptions)
             ].join(' ');
             const frameSrc = [
                 "'self'",
@@ -251,10 +251,11 @@
         allowed.push(...getFOSHostDownload(microsEnv, icOptions));
         allowed.push(...getFOSHostUpload(microsEnv, icOptions));
         return allowed;
     }
-    getFrameAncestors(microsEnv, hostname, icOptions, macroParentHostDomain) {
+    getFrameAncestors(microsEnv, hostname, icOptions, macroParentHost) {
         let frameAncestors = [];
+        const localhostWithPortRegex = /^localhost:\d+$/;
         switch (microsEnv) {
             case 'dev':
             case 'stg':
                 frameAncestors = [
@@ -264,10 +265,10 @@
                     'https://integration.bb-inf.net',
                     '*.atl-paas.net',
                     '*.stg.atlassian.com'
                 ];
-                if (macroParentHostDomain) {
-                    frameAncestors.push(`${macroParentHostDomain}.cdn.stg.atlassian-dev.net`);
+                if (macroParentHost && !localhostWithPortRegex.test(macroParentHost)) {
+                    frameAncestors.push(`${macroParentHost}.cdn.stg.atlassian-dev.net`);
                 }
                 break;
             case 'fedramp-stg':
                 frameAncestors = ['*.atlassian-stg-fedm.net'];
@@ -289,10 +290,15 @@
                     '*.jira.com',
                     '*.atlassian.com',
                     '*.frontend.public.atl-paas.net'
                 ];
-                if (macroParentHostDomain) {
-                    frameAncestors.push(`${macroParentHostDomain}.cdn.prod.atlassian-dev.net`);
+                if (macroParentHost) {
+                    if (localhostWithPortRegex.test(macroParentHost)) {
+                        frameAncestors.push(macroParentHost);
+                    }
+                    else {
+                        frameAncestors.push(`${macroParentHost}.cdn.prod.atlassian-dev.net`);
+                    }
                 }
                 break;
         }
         if (hostname) {