fet-1490: basic CSP

ensdomains · Aug 11, 2024 · cbc5c21 · cbc5c21
1 parent 20cc129
commit cbc5c21
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 0 deletions.
diff --git a/package.json b/package.json
@@ -66,6 +66,7 @@
     "react-confetti": "6.0.1",
     "react-dev-utils": "^12.0.1",
     "react-dom": "^18.2.0",
+    "react-helmet": "^6.1.0",
     "react-refresh": "^0.11.0",
     "react-router-dom": "5.3.0",
     "react-use": "17.3.1",

diff --git a/src/App.js b/src/App.js
@@ -28,6 +28,7 @@ import Home from "./pages/Home";
 import { useGetDelegates, useQueryString } from "./utils/hooks";
 import { initWeb3Read, rpcUrl } from "./web3modal";
 import { usePrevious } from "react-use";
+import { Csp } from "./csp";
 
 const PROJECT_ID = "02f438d1701ea8029113972850066224";
 
@@ -164,6 +165,7 @@ function App() {
 
   return (
     <>
+      <Csp />
       <Header />
       <AppContainerOuter>
         <AppContainerMid>

diff --git a/src/csp.js b/src/csp.js
@@ -0,0 +1,24 @@
+import { Helmet } from "react-helmet";
+
+const resources = [
+  "https://*.googletagmanager.com",
+  "plausible.io",
+  "static.cloudflareinsights.com",
+  "*.ens-app-v3.pages.dev",
+  "https://app.intercom.io",
+  "https://widget.intercom.io",
+  "https://js.intercomcdn.com",
+].join(" ");
+
+const content =
+  process.env.NODE_ENV === "production"
+    ? `worker-src 'self'; script-src 'self' 'sha256-UyYcl+sKCF/ROFZPHBlozJrndwfNiC5KT5ZZfup/pPc=' ${resources} 'wasm-unsafe-eval';`
+    : "script-src 'self'";
+
+export function Csp() {
+  return (
+    <Helmet>
+      <meta httpEquiv="Content-Security-Policy" content={content} />
+    </Helmet>
+  );
+}