Merge pull request #2396 from betagouv/fix/cms_s3_content_policy

fix: add CSP with a ROOT trusted domain
betagouv · Feb 1, 2024 · a02e726 · a02e726
2 parents 5d80249 + 0df508f
commit a02e726
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/cms/config/middlewares.ts b/cms/config/middlewares.ts
@@ -1,9 +1,29 @@
 export default [
   'strapi::logger',
   'strapi::errors',
-  'strapi::security',
+  {
+    name: 'strapi::security',
+    config: {
+      contentSecurityPolicy: {
+        useDefaults: true,
+        directives: {
+          'img-src': [
+            "'self'",
+            "data:",
+            "blob:",
+            `*.${process.env.TRUSTED_ROOT_DOMAIN}`,
+          ],
+          'media-src': [
+            "'self'",
+            "data:",
+            "blob:",
+            `*.${process.env.TRUSTED_ROOT_DOMAIN}`,
+          ],
+        },
+      },
+    },
+  },
   'strapi::cors',
-  'strapi::poweredBy',
   'strapi::query',
   'strapi::body',
   'strapi::session',

diff --git a/docker-compose.e2e.yml b/docker-compose.e2e.yml
@@ -158,6 +158,8 @@ services:
       S3_ENDPOINT: http://s3:9000
       S3_REGION: fr-par
       S3_BUCKET: cms
+      S3_PUBLIC_URL: https://cms.s3.covoiturage.test
+      TRUSTED_ROOT_DOMAIN: covoiturage.test
     labels:
       - 'traefik.enable=true'
       - 'traefik.http.routers.api.rule=Host(`cms.covoiturage.test`)'
@@ -221,7 +223,7 @@ services:
       MINIO_DOMAIN: s3.covoiturage.test
     labels:
       - 'traefik.enable=true'
-      - 'traefik.http.routers.s3.rule=Host(`s3.covoiturage.test`, `local-pdc-export.s3.covoiturage.test`, `download.covoiturage.test`)'
+      - 'traefik.http.routers.s3.rule=Host(`s3.covoiturage.test`, `local-pdc-export.s3.covoiturage.test`, `download.covoiturage.test`, `cms.s3.covoiturage.test`)'
       - 'traefik.http.routers.s3.entrypoints=websecure'
       - 'traefik.http.routers.s3.tls=true'
       - 'traefik.http.services.s3.loadbalancer.server.port=9000'