diff --git a/packages/backend/src/server/web/ClientServerService.ts b/packages/backend/src/server/web/ClientServerService.ts index 7f1a43792..5736938f0 100644 --- a/packages/backend/src/server/web/ClientServerService.ts +++ b/packages/backend/src/server/web/ClientServerService.ts @@ -7,6 +7,7 @@ import { FastifyAdapter } from '@bull-board/fastify'; import ms from 'ms'; import sharp from 'sharp'; import pug from 'pug'; +import fs from 'node:fs'; import { In, IsNull } from 'typeorm'; import fastifyStatic from '@fastify/static'; import fastifyView from '@fastify/view'; @@ -114,6 +115,7 @@ export class ClientServerService { @bindThis public createServer(fastify: FastifyInstance, options: FastifyPluginOptions, done: (err?: Error) => void) { fastify.register(fastifyCookie, {}); + fastify.addContentTypeParser('application/csp-report', { parseAs: 'string' }, fastify.getDefaultJsonParser('ignore', 'ignore')); //#region Bull Dashboard const bullBoardPath = '/queue'; @@ -179,7 +181,10 @@ export class ClientServerService { ?? 'script-src \'self\' \'unsafe-eval\' ' + 'https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; ' + 'base-uri \'self\'; object-src \'self\';'; - reply.header('Content-Security-Policy', csp); + //reply.header('Content-Security-Policy', csp); + reply.header('Content-Security-Policy-Report-Only', 'script-src \'self\' ' + + 'https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; ' + + 'base-uri \'self\'; object-src \'self\'; report-uri /csp-testing'); done(); }); @@ -228,6 +233,12 @@ export class ClientServerService { decorateReply: false, }); + fastify.post('/csp-testing', async (request, reply) => { + console.log(request.body); + fs.appendFileSync(`${_dirname}/../../../../../csp.log`, JSON.stringify(request.body) + "\n"); + reply.code(204); + }); + fastify.get('/favicon.ico', async (request, reply) => { return reply.sendFile('/favicon.ico', staticAssets); });