Initial implementation of CSP headers (#2)

* Create shadow for volto helper/Html/Html.jsx

* Initial development of csp addon

* Initial implementation of critical css hashing

* Fix invalid csp env vars

* Fix missing return if no meta tags are found

* lint fixes

* more lint fixes

* Don't run crypto in browser

---------

Co-authored-by: [email protected] <[email protected]>

Author: instification

LICENCE.md

@@ -0,0 +1,7 @@
+Copyright 2023 Plone
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1,150 +1,137 @@
 # volto-csp
 
-## Introduction
+Volto addon to provide Content Security Policy (CSP) headers to a volto site.
 
-## Development
+For more information on CSP see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-You can develop an add-on in isolation using the boilerplate already provided by the add-on generator.
-The project is configured to have the current add-on installed and ready to work with.
-This is useful to bootstrap an isolated environment that can be used to quickly develop the add-on or for demo purposes.
-It's also useful when testing an add-on in a CI environment.
+This package sets the necessary `<meta http-equiv="Content-Security-Policy">` tag in the head section of a rendered page.
 
-```{note}
-It's quite similar when you develop a Plone backend add-on in the Python side, and embed a ready to use Plone build (using buildout or pip) in order to develop and test the package.
-```
-
-The dockerized approach performs all these actions in a custom built docker environment:
-
-1. Generates a vanilla project using the official Volto Yo Generator (@plone/generator-volto)
-2. Configures it to use the add-on with the name stated in the `package.json`
-3. Links the root of the add-on inside the created project
-
-After that you can use the inner dockerized project, and run any standard Volto command for linting, acceptance test or unit tests using Makefile commands provided for your convenience.
+It automtacially adds the hash values for inline scripts generated by volto, meaning `unsafe-inline` need not be used when hosting a volto site.
 
-### Setup the environment
+## Installation
 
-Run once
+Add the following lines to your `package.json`:
 
-```shell
-make dev
 ```
-
-which will build and launch the backend and frontend containers.
-There's no need to build them again after doing it the first time unless something has changed from the container setup.
-
-In order to make the local IDE play well with this setup, is it required to run once `yarn` to install locally the required packages (ESlint, Prettier, Stylelint).
-
-Run
-
-```shell
-yarn
+"addons": [
+    "volto-csp"
+  ],
 ```
 
-### Build the containers manually
-
-Run
+and run `yarn build`
 
-```shell
-make build-backend
-make build-addon
-```
+## Basic Usage
 
-### Run the containers
+This addon is enabled by setting one or more of the `RAZZLE_CSP_...` headers.
 
-Run
+E.g. to set the `default-src` directive to `'self' data: https:` you would set:
 
-```shell
-make start-dev
+```
+RAZZLE_CSP_DEFAULT_SRC="'self' data: https:"
 ```
 
-This will start both the frontend and backend containers.
-
-### Stop Backend (Docker)
-
-After developing, in order to stop the running backend, don't forget to run:
+Every valid CSP header can be set this way.
 
-Run
+CSP directives can be added to `RAZZLE_CSP_` by taking the directive name, swappings hyphens (`-`) to underscores (`_`) and making it uppercase.
 
-```shell
-make stop-backend
-```
+Some common values are:
 
-### Linting
+---
+Directive|Environment Variable
+-|-
+`default-src`|`RAZZLE_CSP_DEFAULT_SRC`
+`script-src`|`RAZZLE_CSP_SCRIPT_SRC`
+`font-src`|`RAZZLE_CSP_FONT_SRC`
 
-Run
 
-```shell
-make lint
-```
+The full list of environment variables is below.
 
-### Formatting
+## Script Hashes
 
-Run
+Volto includes a number of inline scripts. Good practice is to not use the `unsafe-inline` source value for `script-src`. This package creates sha256 hashes of the inline scripts and includes those hash digests as sources in any `script-src` directive.
 
-```shell
-make format
-```
+If `RAZZLE_CSP_DEFAULT_SRC` is set and no value for `RAZZLE_CSP_SCRIPT_SRC` is set. Then the addon will add the `script-src` directive as a duplicate of the `default-src` with the hashed inline scripts added.
 
-### i18n
+## Critical CSS
 
-Run
+Volto allows you to automatically include [critical css](https://2022.training.plone.org/effective-volto/development/criticalCSS.html) as inline styles.
 
-```shell
-make i18n
-```
+This addon will generate and add the necessary hashsum for the critical css to the `style-src` directive.
 
-### Unit tests
+The addon has not been configured to work with single page critical css. If you are setting `settings.serverConfig.readCricitalCss` the checksum will likely not match. It may be possible to integrate this kind of config in future, please raise an issue if you need make use of it.
+## Development Mode
 
-Run
+If you set `RAZZLE_CSP_DEFAULT_SRC` or `RAZZLE_CSP_STYLE_SRC` and are running in development mode, this addon will automatically include the `'unsafe-inline'` to the `style-src` directive. This is because in development mode Volto adds a lot of inline styles which would otherwise be blocked.
 
-```shell
-make test
-```
+Future versions of this addon may be able to generate and add the hashes for inline styles.
+## Limitations
 
-### Acceptance tests
+As this package adds the policy via meta http-equiv tags it has some limitations vs setting http headers:
 
-Run once
+ -  The following directives aren't supported:
+    - report-uri
+    - frame-ancestors
+    - sandbox
 
-```shell
-make install-acceptance
-```
+This means that if you wish to enable CSP reporting, you will not be able to use this addon. A workaround is to set the same policy via HTTP headers using `Content-Security-Policy-Report-Only`. This would give you error reporting as well as the additional script hashing provided by this package. In this scenario, you would need to enable `unsafe-inline` in the http headers for `script-src` (otherwise you would get reports every time a page is rendered).
 
-For starting the servers
+## Environment Variables
 
-Run
+### Special Variables
 
-```shell
-make start-test-acceptance-server
 ```
+RAZZLE_CSP_DEFAULT_SRC
+RAZZLE_CSP_SCRIPT_SRC
+RAZZLE_CSP_STYLE_SRC
+```
+### Standard Variables
 
-The frontend is run in dev mode, so development while writing tests is possible.
+```
+RAZZLE_CSP_BASE_URI
+RAZZLE_CSP_BLOCK_ALL_MIXED_CONTENT
+RAZZLE_CSP_CHILD_SRC
+RAZZLE_CSP_CONNECT_SRC
+RAZZLE_CSP_FONT_SRC
+RAZZLE_CSP_FORM_ACTION
+RAZZLE_CSP_FRAME_SRC
+RAZZLE_CSP_IMG_SRC
+RAZZLE_CSP_MANIFEST_SRC
+RAZZLE_CSP_MEDIA_SRC
+RAZZLE_CSP_OBJECT_SRC
+RAZZLE_CSP_REQUIRE_TRUSTED_TYPES_FOR
+RAZZLE_CSP_SCRIPT_SRC_ATTR
+RAZZLE_CSP_SCRIPT_SRC_ELEM
+RAZZLE_CSP_STYLE_SRC_ATTR
+RAZZLE_CSP_STYLE_SRC_ELEM
+RAZZLE_CSP_TRUSTED_TYPES
+RAZZLE_CSP_UPGRADE_INSECURE_REQUESTS
+RAZZLE_CSP_WORKDER_SRC
+```
+### Deprecated Variables
 
-Run
+A server side console warning will be displayed if the following are used. The headers will still be added to the meta tag.
 
-```shell
-make test-acceptance
 ```
+RAZZLE_CSP_PLUGIN_TYPES
+RAZZLE_CSP_PREFETCH_SRC
+RAZZLE_CSP_REFERRER
+```
+### Invalid Variables
 
-To run Cypress tests afterwards.
-
-When finished, don't forget to shutdown the backend server.
+These directives are not compatible with meta tag syntax and will not be added.
 
-```shell
-make stop-test-acceptance-server
+```
+RAZZLE_CSP_FRAME_ANCESTORS
+RAZZLE_CSP_SANDBOX
+RAZZLE_CSP_REPORT_TO
+RAZZLE_CSP_REPORT_URI
 ```
 
-### Release
-
-Run
+## Author
 
-```shell
-make release
-```
+[Jon Pentland](https://github.com/instification), PretaGov Ltd
 
-For releasing a RC version
+## Licence
 
-Run
+This addon is packaged under the MIT licence. See `LICENCE.md`.
 
-```shell
-make release-rc
-```

news/1.feature

@@ -0,0 +1 @@
+Create initial version of addon @instification

package.json

@@ -43,5 +43,8 @@
   },
   "peerDependencies": {
     "@plone/volto": "^17.0.0"
+  },
+  "browser": {
+    "crypto": false
   }
 }

src/components/index.js

@@ -0,0 +1,12 @@
+/**
+ * Add your components here.
+ * @module components
+ * @example
+ * import Footer from './Footer/Footer';
+ *
+ * export {
+ *   Footer,
+ * };
+ */
+
+export { CspHeader } from './meta/CspHeader';