feat(dcellar-web-ui): add csp rules (#401)

* feat(dcellar-web-ui): add csp

* fix(dcellar-web-ui): add unsafe-inline for style

* docs(dcellar-web-ui): update changelog

apps/dcellar-web-ui/CHANGELOG.json

@@ -1,6 +1,18 @@
 {
   "name": "dcellar-web-ui",
   "entries": [
+    {
+      "version": "1.9.0",
+      "tag": "dcellar-web-ui_v1.9.0",
+      "date": "Tue, 05 Nov 2024 07:18:43 GMT",
+      "comments": {
+        "minor": [
+          {
+            "comment": "Add CSP"
+          }
+        ]
+      }
+    },
     {
       "version": "1.8.2",
       "tag": "dcellar-web-ui_v1.8.2",

apps/dcellar-web-ui/CHANGELOG.md

@@ -1,6 +1,13 @@
 # Change Log - dcellar-web-ui
 
-This log was last generated on Thu, 10 Oct 2024 12:15:36 GMT and should not be manually modified.
+This log was last generated on Tue, 05 Nov 2024 07:18:43 GMT and should not be manually modified.
+
+## 1.9.0
+Tue, 05 Nov 2024 07:18:43 GMT
+
+### Minor changes
+
+- Add CSP
 
 ## 1.8.2
 Thu, 10 Oct 2024 12:15:36 GMT

apps/dcellar-web-ui/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dcellar-web-ui",
-  "version": "1.8.2",
+  "version": "1.9.0",
   "private": false,
   "scripts": {
     "dev": "node ./scripts/dev.js -p 3200",

apps/dcellar-web-ui/src/base/env.ts

@@ -1,7 +1,7 @@
 import { removeTrailingSlash } from '@/utils/string';
 import getConfig from 'next/config';
 
-const { publicRuntimeConfig, serverRuntimeConfig } = getConfig();
+const { publicRuntimeConfig, serverRuntimeConfig } = getConfig() || {};
 const {
   NEXT_PUBLIC_ENV,
   NEXT_PUBLIC_STATIC_HOST,

apps/dcellar-web-ui/src/middleware.ts

@@ -0,0 +1,56 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+export function middleware(request: NextRequest) {
+  const cspHeader = `
+    default-src 'self';
+    script-src 'self' 'unsafe-eval' https: https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com;
+    script-src-elem 'self' 'unsafe-inline' https: https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com;
+    style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
+    img-src 'self' blob: data: https: https://www.google-analytics.com https://www.googletagmanager.com;
+    font-src 'self' https://fonts.gstatic.com;
+    connect-src *;
+    object-src 'none';
+    base-uri 'self';
+    form-action 'self';
+    frame-ancestors 'none';
+    frame-src 'self' https://*.walletconnect.com https://verify.walletconnect.com;
+    media-src 'self';
+    manifest-src 'self';
+    worker-src 'self' blob:;
+    upgrade-insecure-requests;
+`;
+
+  const cleanCspHeader = cspHeader.replace(/\s+/g, ' ').trim();
+
+  const requestHeaders = new Headers(request.headers);
+  requestHeaders.set('Content-Security-Policy', cleanCspHeader);
+
+  const response = NextResponse.next({
+    request: {
+      headers: requestHeaders,
+    },
+  });
+
+  response.headers.set('Content-Security-Policy', cleanCspHeader);
+
+  return response;
+}
+
+export const config = {
+  matcher: [
+    /*
+     * Match all request paths except for the ones starting with:
+     * - api (API routes)
+     * - _next/static (static files)
+     * - _next/image (image optimization files)
+     * - favicon.ico (favicon file)
+     */
+    {
+      source: '/((?!api|_next/static|_next/image|favicon.ico).*)',
+      missing: [
+        { type: 'header', key: 'next-router-prefetch' },
+        { type: 'header', key: 'purpose', value: 'prefetch' },
+      ],
+    },
+  ],
+};