cboard icon indicating copy to clipboard operation
cboard copied to clipboard
verified publisher icon cboard-org

csp problems

Open gonojuarez opened this issue 9 months ago • 5 comments

Description create a hotfix related to CSP in the developer environment.

  • Users in the dev environment can't connect the API because Windows rejects it.
  • the problem is related to the HTTP protocol in Windows 11.

gonojuarez avatar Mar 14 '25 17:03 gonojuarez

I suggest removing from /public/index.html the label

 <meta http-equiv="Content-Security-Policy" content="
    default-src 'self'
        'unsafe-inline'
        'unsafe-eval'
        https://*
        wss://*.microsoft.com/cognitiveservices/
        blob:
        gap:
        data:;
    img-src * data:  filesystem:  blob:  ;
    ">

and implements a good csp with react like us:

import { useEffect } from 'react';

const setupCSP = () => {
  // Detectar entorno
  const isDevelopment = process.env.NODE_ENV === 'development';

  const localHostSources = isDevelopment
    ? 'http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*'
    : '';

  const cspContent = `
    default-src 'self' https://app.cboard.io https://api.cboard.io ${localHostSources};
    script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.paypal.com https://www.sandbox.paypal.com ${localHostSources};
    style-src 'self' 'unsafe-inline' ${localHostSources};
    img-src * data: blob: filesystem:;
    connect-src 'self' https://api.cboard.io wss://*.microsoft.com/cognitiveservices/ https://*.paypal.com ${localHostSources};
    media-src 'self' blob: ${localHostSources};
    object-src 'none';
    frame-src 'self' https://www.paypal.com https://www.sandbox.paypal.com ${localHostSources};
    font-src 'self' data: ${localHostSources};
  `
    .replace(/\s+/g, ' ')
    .trim();

  // Añadir la meta tag dinámicamente
  const meta = document.createElement('meta');
  meta.httpEquiv = 'Content-Security-Policy';
  meta.content = cspContent;
  document.head.appendChild(meta);
};

//initializeAppInsights


// When running in Cordova, must use the HashRouter
const PlatformRouter = isCordova() ? HashRouter : BrowserRouter;

// Paypal settings

//render app
const renderApp = () => {
  if (isCordova()) {
    initCordovaPlugins();
  }
 //implements the CSP
  setupCSP();
 // render code
  ReactDOM.render(
    <Provider store={store}>
      <PersistGate persistor={persistor}>
        <PayPalScriptProvider options={paypalOptions}>
          <SpeechProvider>
            <LanguageProvider>
              <ThemeProvider>
                <SubscriptionProvider>
                  <PlatformRouter>
                    <DndProvider backend={TouchBackend} options={dndOptions}>
                      <Route path="/" component={App} />
                    </DndProvider>
                  </PlatformRouter>
                </SubscriptionProvider>
              </ThemeProvider>
            </LanguageProvider>
          </SpeechProvider>
        </PayPalScriptProvider>
      </PersistGate>
    </Provider>,
    document.getElementById('root')
  );
};

isCordova() ? onCordovaReady(renderApp) : renderApp();

gonojuarez avatar Mar 17 '25 14:03 gonojuarez

I found problems related to connecting with the araasac and other API links. that implementations need a full testing

gonojuarez avatar Mar 17 '25 14:03 gonojuarez

there is an explain about the csp

gonojuarez avatar Mar 19 '25 18:03 gonojuarez

not pass the android testing, because lock internal files return to in progress

gonojuarez avatar Mar 26 '25 15:03 gonojuarez

related #1183

RodriSanchez1 avatar Mar 27 '25 17:03 RodriSanchez1