Merge branch 'next' into enforce-host-check-https-bronto-approach

alxndrsn · Dec 8, 2024 · 938bd31 · 938bd31
2 parents 0fca92a + 515bfb9
commit 938bd31
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 6 deletions.
diff --git a/files/nginx/common-headers.conf b/files/nginx/common-headers.conf
@@ -6,7 +6,7 @@
 # They are included here to ease interpretation of violation reports.
 #
 # N.B. a separate CSP is defined for Enketo in odk.conf.template
-add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self' https://getodk.github.io/central/news.html; img-src *; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; report-uri /csp-report";
+add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self' https://getodk.github.io/central/news.html; img-src * data:; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; report-uri /csp-report";
 
 # If changing these headers, please apply the same updates to enketo
 # location(s) in odk.conf.template

diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template
@@ -31,7 +31,7 @@ server {
   gzip_vary on;
   gzip_min_length 1280;
   gzip_http_version 1.1;
-  gzip_types text/plain text/css application/json application/x-javascript text/xml text/csv;
+  gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml text/csv;
 
   location = /robots.txt {
     add_header Content-Type text/plain;
@@ -45,7 +45,7 @@ server {
 
     # More lax CSP for enketo-express:
     # Google Maps API: https://developers.google.com/maps/documentation/javascript/content-security-policy
-    add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' blob: https://maps.googleapis.com/maps/ https://maps.google.com/ https://maps.gstatic.com/mapfiles/ https://fonts.gstatic.com/ https://fonts.googleapis.com/; font-src 'self' https://fonts.gstatic.com/; frame-src 'none'; img-src data: blob: jr: 'self' https://maps.google.com/maps/ https://maps.gstatic.com/mapfiles/ https://maps.googleapis.com/maps/; manifest-src 'none'; media-src blob: jr: 'self'; object-src 'none'; script-src 'unsafe-inline' 'self' https://maps.googleapis.com/maps/api/js/ https://maps.google.com/maps/ https://maps.google.com/maps-api-v3/api/js/; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css; style-src-attr 'none'; report-uri /csp-report";
+    add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' blob: https://maps.googleapis.com/maps/ https://maps.google.com/ https://maps.gstatic.com/mapfiles/ https://fonts.gstatic.com/ https://fonts.googleapis.com/; font-src 'self' https://fonts.gstatic.com/; frame-src 'none'; img-src data: blob: jr: 'self' https://maps.google.com/maps/ https://maps.gstatic.com/mapfiles/ https://maps.googleapis.com/maps/; manifest-src 'none'; media-src blob: jr: 'self'; object-src 'none'; script-src 'unsafe-inline' 'self' https://maps.googleapis.com/maps/api/js/ https://maps.google.com/maps/ https://maps.google.com/maps-api-v3/api/js/; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css; style-src-attr 'unsafe-inline'; report-uri /csp-report";
     #
     # Rules set to 'none' here would fallback to default-src if excluded.
     # They are included here to ease interpretation of violation reports.

diff --git a/files/prebuild/build-frontend.sh b/files/prebuild/build-frontend.sh
@@ -1,4 +1,18 @@
 #!/bin/bash -eu
+
 cd client
-npm clean-install --no-audit --fund=false --update-notifier=false
-npm run build
+
+if [[ ${SKIP_FRONTEND_BUILD-} != "" ]]; then
+  echo "[build-frontend] Skipping frontend build."
+
+  # Create minimal fake frontend to allow tests to pass:
+  mkdir -p dist
+  echo > dist/blank.html
+  echo > dist/favicon.ico
+  echo > dist/index.html '<div id="app"></div>'
+
+  exit
+else
+  npm clean-install --no-audit --fund=false --update-notifier=false
+  npm run build
+fi
diff --git a/nginx.dockerfile b/nginx.dockerfile
@@ -8,6 +8,8 @@ RUN apt-get update \
 
 COPY ./ ./
 RUN files/prebuild/write-version.sh
+
+ARG SKIP_FRONTEND_BUILD
 RUN files/prebuild/build-frontend.sh
 
 

diff --git a/service.dockerfile b/service.dockerfile
@@ -54,7 +54,7 @@ RUN apt-get update \
         postgresql-client-14 \
         netcat-traditional \
     && rm -rf /var/lib/apt/lists/* \
-    && npm clean-install --omit=dev --legacy-peer-deps --no-audit \
+    && npm clean-install --omit=dev --no-audit \
         --fund=false --update-notifier=false
 
 COPY server/ ./

diff --git a/test/nginx.test.docker-compose.yml b/test/nginx.test.docker-compose.yml
@@ -17,6 +17,8 @@ services:
     build:
       context: ..
       dockerfile: nginx.dockerfile
+      args:
+        SKIP_FRONTEND_BUILD: true
     depends_on:
       - service
       - enketo