Merge pull request #428 from poanetwork/ws-csp-#414

Dynamically add websocket endpoint to CSP

apps/explorer_web/.sobelow-conf

@@ -5,5 +5,5 @@
   router: "lib/explorer_web/router.ex",
   exit: "low",
   format: "compact",
-  ignore: ["Config.CSRF"]
+  ignore: ["Config.Headers"]
 ]

apps/explorer_web/lib/explorer_web/csp_header.ex

@@ -0,0 +1,28 @@
+defmodule ExplorerWeb.CSPHeader do
+  @moduledoc """
+  Plug to set content-security-policy with websocket endpoints
+  """
+
+  alias Phoenix.Controller
+  alias Plug.Conn
+
+  def init(opts), do: opts
+
+  def call(conn, _opts) do
+    Controller.put_secure_browser_headers(conn, %{
+      "content-security-policy" => "\
+        connect-src 'self' #{websocket_endpoints(conn)}; \
+        default-src 'self';\
+        script-src 'self' 'unsafe-inline' 'unsafe-eval';\
+        style-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com;\
+        img-src 'self' 'unsafe-inline' 'unsafe-eval' data:;\
+        font-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.gstatic.com data:;\
+      "
+    })
+  end
+
+  defp websocket_endpoints(conn) do
+    host = Conn.get_req_header(conn, "host")
+    "ws://#{host} wss://#{host}"
+  end
+end

apps/explorer_web/lib/explorer_web/router.ex

@@ -6,17 +6,7 @@ defmodule ExplorerWeb.Router do
     plug(:fetch_session)
     plug(:fetch_flash)
     plug(:protect_from_forgery)
-
-    plug(:put_secure_browser_headers, %{
-      "content-security-policy" => "\
-        connect-src 'self' ws://localhost:*;\
-        default-src 'self';\
-        script-src 'self' 'unsafe-inline' 'unsafe-eval';\
-        style-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com;\
-        img-src 'self' 'unsafe-inline' 'unsafe-eval' data:;\
-        font-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.gstatic.com data:;\
-      "
-    })
+    plug(ExplorerWeb.CSPHeader)
   end
 
   pipeline :api do