UNPKG

@defra-fish/gafl-webapp-service

Version:

The websales frontend for the GAFL service

github.com/DEFRA/rod-licensing

DEFRA/rod-licensing

91 lines (83 loc) 2.54 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
import Inert from '@hapi/inert' import Vision from '@hapi/vision' import Disinfect from 'disinfect' import Scooter from '@hapi/scooter' import Blankie from 'blankie' import Crumb from '@hapi/crumb' import Cookie from '@hapi/cookie' import HapiI18n from 'hapi-i18n' import { getCsrfTokenCookieName } from './server.js' import Dirname from '../dirname.cjs' import path from 'path' // This is a hash provided by the GOV.UK Frontend: // https://frontend.design-system.service.gov.uk/importing-css-assets-and-javascript/#use-a-hash-to-unblock-inline-javascript // It is added to the CSP to except the in-line script. It needs the quotes. const scriptHash = "'sha256-GUQ5ad8JK5KmEWmROf3LZd9ge94daqNvd8xy9YS1iDw='" const initialiseDisinfectPlugin = () => ({ plugin: Disinfect, options: { disinfectQuery: true, disinfectParams: true, disinfectPayload: true } }) const unsafeInline = 'unsafe-inline' const googleTagUrl = '*.googletagmanager.com' const initialiseBlankiePlugin = () => ({ plugin: Blankie, options: { /* * This defines the content security policy - which is as restrictive as possible * It must allow web-fonts from 'fonts.gstatic.com' */ fontSrc: ['self', 'fonts.gstatic.com', 'data:'], scriptSrc: [ 'self', unsafeInline, scriptHash, googleTagUrl, '*.tagassistant.google.com', 'unsafe-eval', 'https://tagmanager.google.com/' ], connectSrc: ['self', '*.google-analytics.com', googleTagUrl, '*.analytics.google.com'], generateNonces: true, frameAncestors: 'none', imgSrc: ['self', unsafeInline, googleTagUrl, 'fonts.gstatic.com', 'data:', 'https://ssl.gstatic.com/'], manifestSrc: ['self'], styleSrc: [unsafeInline, 'self', 'fonts.googleapis.com', googleTagUrl, 'https://tagmanager.google.com/'] } }) const initialiseCrumbPlugin = () => ({ plugin: Crumb, options: { key: getCsrfTokenCookieName(), cookieOptions: { isSecure: process.env.NODE_ENV !== 'development', isHttpOnly: process.env.NODE_ENV !== 'development' }, logUnauthorized: true } }) const initialiseHapiI18nPlugin = () => { return { plugin: HapiI18n, options: { locales: ['en', 'cy'], directory: path.join(Dirname, 'src/locales'), queryParameter: 'lang' } } } export const getPlugins = () => { return [ Inert, Vision, Scooter, Cookie, initialiseDisinfectPlugin(), initialiseBlankiePlugin(), initialiseCrumbPlugin(), initialiseHapiI18nPlugin() ] }