From e571f80008a92162800c8c69843d06c8ffbad36b Mon Sep 17 00:00:00 2001 From: Vim USDS Date: Fri, 1 Jul 2022 10:50:37 -0700 Subject: [PATCH] Add CSP plugin - OWASP flagged a minor issue with CSP. Checking if this will fix the issue --- client/gatsby-config.js | 16 ++++++++++++++++ client/package-lock.json | 19 +++++++++++++++++++ client/package.json | 1 + 3 files changed, 36 insertions(+) diff --git a/client/gatsby-config.js b/client/gatsby-config.js index f1536616..432ce762 100644 --- a/client/gatsby-config.js +++ b/client/gatsby-config.js @@ -105,5 +105,21 @@ module.exports = { sampleRate: 0.7, }, }, + { + resolve: `gatsby-plugin-csp`, + options: { + disableOnDev: true, + reportOnly: false, // Changes header to Content-Security-Policy-Report-Only for csp testing purposes + mergeScriptHashes: true, // you can disable scripts sha256 hashes + mergeStyleHashes: true, // you can disable styles sha256 hashes + mergeDefaultDirectives: true, + directives: { + 'script-src': '\'self\' www.google-analytics.com', + 'style-src': '\'self\' \'unsafe-inline\'', + 'img-src': '\'self\' data: www.google-analytics.com', + // you can add your directives or override defaults + }, + }, + }, ], }; diff --git a/client/package-lock.json b/client/package-lock.json index 7767109c..316e1d5f 100644 --- a/client/package-lock.json +++ b/client/package-lock.json @@ -14,6 +14,7 @@ "@trussworks/react-uswds": "^2.9.0", "@turf/bbox": "^6.5.0", "d3-ease": "^3.0.1", + "gatsby-plugin-csp": "^1.1.3", "gatsby-plugin-env-variables": "^2.2.0", "gatsby-plugin-robots-txt": "^1.7.0", "gatsby-plugin-sitemap": "^4.10.0", @@ -11697,6 +11698,15 @@ "node": ">=12.13.0" } }, + "node_modules/gatsby-plugin-csp": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/gatsby-plugin-csp/-/gatsby-plugin-csp-1.1.3.tgz", + "integrity": "sha512-jTAdWpJXCAaqBXAmf07XVnsgHp7tdtC36XrOQUMRMrEOkEIpM+x+4X3Xma4YAmFbuGH+QKRGmbmCCRNhV//EDA==", + "dependencies": { + "@babel/runtime": "^7.0.0", + "lodash.flatten": "^4.4.0" + } + }, "node_modules/gatsby-plugin-env-variables": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/gatsby-plugin-env-variables/-/gatsby-plugin-env-variables-2.2.0.tgz", @@ -35666,6 +35676,15 @@ "micromatch": "^4.0.4" } }, + "gatsby-plugin-csp": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/gatsby-plugin-csp/-/gatsby-plugin-csp-1.1.3.tgz", + "integrity": "sha512-jTAdWpJXCAaqBXAmf07XVnsgHp7tdtC36XrOQUMRMrEOkEIpM+x+4X3Xma4YAmFbuGH+QKRGmbmCCRNhV//EDA==", + "requires": { + "@babel/runtime": "^7.0.0", + "lodash.flatten": "^4.4.0" + } + }, "gatsby-plugin-env-variables": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/gatsby-plugin-env-variables/-/gatsby-plugin-env-variables-2.2.0.tgz", diff --git a/client/package.json b/client/package.json index 7f079e2e..bd58e8d5 100644 --- a/client/package.json +++ b/client/package.json @@ -79,6 +79,7 @@ "@trussworks/react-uswds": "^2.9.0", "@turf/bbox": "^6.5.0", "d3-ease": "^3.0.1", + "gatsby-plugin-csp": "^1.1.3", "gatsby-plugin-env-variables": "^2.2.0", "gatsby-plugin-robots-txt": "^1.7.0", "gatsby-plugin-sitemap": "^4.10.0",