feat: Add CDN support (#1817)

* chore: CSP * chore: Optionally use CDN for serving images
2021-01-16 11:12:10 -08:00
parent 1fd2ec31fd
commit 522df125aa
16 changed files with 77 additions and 28 deletions
--- a/server/app.js
+++ b/server/app.js
@@ -14,6 +14,7 @@ import enforceHttps from "koa-sslify";
 import api from "./api";
 import auth from "./auth";
 import emails from "./emails";
+import env from "./env";
 import routes from "./routes";
 import updates from "./utils/updates";

@@ -21,6 +22,24 @@ const app = new Koa();
 const isProduction = process.env.NODE_ENV === "production";
 const isTest = process.env.NODE_ENV === "test";

+// Construct scripts CSP based on services in use by this installation
+const scriptSrc = [
+  "'self'",
+  "'unsafe-inline'",
+  "'unsafe-eval'",
+  "gist.github.com",
+];
+
+if (env.GOOGLE_ANALYTICS_ID) {
+  scriptSrc.push("www.google-analytics.com");
+}
+if (env.SENTRY_DSN) {
+  scriptSrc.push("browser.sentry-cdn.com");
+}
+if (env.CDN_URL) {
+  scriptSrc.push(env.CDN_URL);
+}
+
 app.use(compress());

 if (isProduction) {
@@ -149,14 +168,7 @@ app.use(
  contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
-      scriptSrc: [
-        "'self'",
-        "'unsafe-inline'",
-        "'unsafe-eval'",
-        "gist.github.com",
-        "www.google-analytics.com",
-        "browser.sentry-cdn.com",
-      ],
+      scriptSrc,
      styleSrc: ["'self'", "'unsafe-inline'", "github.githubassets.com"],
      imgSrc: ["*", "data:", "blob:"],
      frameSrc: ["*"],
--- a/server/emails/components/Header.js
+++ b/server/emails/components/Header.js
@@ -3,6 +3,8 @@ import { Table, TBody, TR, TD } from "oy-vey";
 import * as React from "react";
 import EmptySpace from "./EmptySpace";

+const url = process.env.CDN_URL || process.env.URL;
+
 export default () => {
  return (
    <Table width="100%">
@@ -12,7 +14,7 @@ export default () => {
            <EmptySpace height={40} />
            <img
              alt="Outline"
-              src={`${process.env.URL}/email/header-logo.png`}
+              src={`${url}/email/header-logo.png`}
              height="48"
              width="48"
            />
--- a/server/env.js
+++ b/server/env.js
@@ -1,6 +1,7 @@
 // @flow
 export default {
  URL: process.env.URL,
+  CDN_URL: process.env.CDN_URL || "",
  DEPLOYMENT: process.env.DEPLOYMENT,
  SENTRY_DSN: process.env.SENTRY_DSN,
  TEAM_LOGO: process.env.TEAM_LOGO,