Remove lax CSP/eval from production builds

2026-06-08 08:39:59 +00:00 · 2019-02-10 11:04:52 +00:00
parent 5c62f40dd2
commit 53a16ccde7
4 changed files with 31 additions and 26 deletions
--- a/ext/build.js
+++ b/ext/build.js
@@ -8,6 +8,8 @@ const package = require("./package.json");
 const appPackage = require("../app/package.json");


+const INCLUDE_PATH = path.resolve(__dirname, "src");
+
 const DIST_PATH = path.join(__dirname, "../dist/ext");
 const UNPACKED_PATH = path.join(DIST_PATH, "unpacked");

@@ -36,11 +38,12 @@ if (argv.package) {

 // Import webpack config and specify env values
 const webpackConfig = require("./webpack.config.js")({
+    includePath: INCLUDE_PATH
    /**
     * If watching files, output directly to dist. Unpacked
     * directory is used as a staging area for web-ext builds.
     */
-    outputPath: argv.package
+  , outputPath: argv.package
        ? UNPACKED_PATH
        : DIST_PATH

@@ -50,10 +53,18 @@ const webpackConfig = require("./webpack.config.js")({
  , applicationName: appPackage.__applicationName
  , applicationVersion: appPackage.__applicationVersion
  , mirroringAppId: argv.mirroringAppId
+
+    // eval source map needs special CSP
+  , contentSecurityPolicy: argv.mode === "production"
+        ? "default-src 'self'"
+        : "script-src 'self' 'unsafe-eval'; object-src 'self'"
 });

 // Add mode to config
 webpackConfig.mode = argv.mode;
+webpackConfig.devtool = argv.mode === "production"
+    ? "source-map"
+    : "eval";


 // Clean
--- a/ext/src/manifest.json
+++ b/ext/src/manifest.json
@@ -3,13 +3,12 @@
  , "description": "__MSG_extensionDescription__"
  , "version": "EXTENSION_VERSION"

-  , "applications": {
+  , "browser_specific_settings": {
        "gecko": {
            "id": "EXTENSION_ID"
          , "strict_min_version": "64.0"
        }
    }
-
  , "browser_action": {
        "default_popup": "popup/index.html"
    }
@@ -24,15 +23,13 @@
          , "run_at": "document_start"
        }
    ]
-
-  , "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
+  , "content_security_policy": "CONTENT_SECURITY_POLICY"
  , "default_locale": "en"
  , "manifest_version": 2

  , "options_ui": {
        "page": "options/index.html"
    }
-
  , "permissions": [
        "menus"
      , "nativeMessaging"
@@ -42,7 +39,6 @@
      , "webRequestBlocking"
      , "<all_urls>"
    ]
-
  , "web_accessible_resources": [
        "shim/bundle.js"
      , "vendor/webcomponents-lite.min.js"
--- a/ext/src/shim/cast/index.js
+++ b/ext/src/shim/cast/index.js
@@ -278,6 +278,7 @@ onMessage(message => {
                state.sessionRequestInProgress = false;
                sessionErrorCallback(new Error_(ErrorCode.CANCEL));
            }
+
            break;
        }
    }
--- a/ext/webpack.config.js
+++ b/ext/webpack.config.js
@@ -4,21 +4,18 @@ const path              = require("path");
 const webpack           = require("webpack");
 const CopyWebpackPlugin = require("copy-webpack-plugin");

-
-const includePath = path.resolve(__dirname, "src");
-
 module.exports = (env) => ({
    entry: {
-        "main"           : `${includePath}/main.js`
-      , "popup/bundle"   : `${includePath}/popup/index.jsx`
-      , "options/bundle" : `${includePath}/options/index.jsx`
-      , "shim/bundle"    : `${includePath}/shim/index.js`
-      , "content"        : `${includePath}/content.js`
-      , "contentSetup"   : `${includePath}/contentSetup.js`
-      , "mediaCast"      : `${includePath}/mediaCast.js`
-      , "mirroringCast"  : `${includePath}/mirroringCast.js`
-      , "messageRouter"  : `${includePath}/messageRouter.js`
-      , "compat/youtube" : `${includePath}/compat/youtube.js`
+        "main"           : `${env.includePath}/main.js`
+      , "popup/bundle"   : `${env.includePath}/popup/index.jsx`
+      , "options/bundle" : `${env.includePath}/options/index.jsx`
+      , "shim/bundle"    : `${env.includePath}/shim/index.js`
+      , "content"        : `${env.includePath}/content.js`
+      , "contentSetup"   : `${env.includePath}/contentSetup.js`
+      , "mediaCast"      : `${env.includePath}/mediaCast.js`
+      , "mirroringCast"  : `${env.includePath}/mirroringCast.js`
+      , "messageRouter"  : `${env.includePath}/messageRouter.js`
+      , "compat/youtube" : `${env.includePath}/compat/youtube.js`
    }
  , output: {
        filename: "[name].js"
@@ -36,8 +33,8 @@ module.exports = (env) => ({

        // Copy static assets
      , new CopyWebpackPlugin([
-          {
-                from: includePath
+            {
+                from: env.includePath
              , to: env.outputPath
              , ignore: [ "*.js", "*.jsx" ]
              , transform (content, path) {
@@ -49,7 +46,8 @@ module.exports = (env) => ({
                            .replace("EXTENSION_VERSION", env.extensionVersion)
                            .replace("MIRRORING_APP_ID", env.mirroringAppId)
                            .replace("APPLICATION_NAME", env.applicationName)
-                            .replace("APPLICATION_VERSION", env.applicationVersion));
+                            .replace("APPLICATION_VERSION", env.applicationVersion)
+                            .replace("CONTENT_SECURITY_POLICY", env.contentSecurityPolicy));
                    }

                    return content;
@@ -57,12 +55,11 @@ module.exports = (env) => ({
            }
          , {
                // Copy vendor dir
-                from: path.join(includePath, "vendor")
+                from: path.join(env.includePath, "vendor")
              , to: path.join(env.outputPath, "vendor")
            }
        ])
    ]
-  , mode: "development"
  , module: {
        rules: [
            {
@@ -70,7 +67,7 @@ module.exports = (env) => ({
              , resolve: {
                    extensions: [ ".js", ".jsx" ]
                }
-              , include: `${includePath}`
+              , include: `${env.includePath}`
              , use: {
                    loader: "babel-loader"
                  , options: {