From 26f056f87954680c409368c45b8231ec994e1e3c Mon Sep 17 00:00:00 2001
From: Vasco Santos <santos.vasco10@gmail.com>
Date: Fri, 12 Aug 2022 12:09:45 +0200
Subject: [PATCH 1/3] feat: add content security policy header

---
 packages/edge-gateway/src/gateway.js | 31 +++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/packages/edge-gateway/src/gateway.js b/packages/edge-gateway/src/gateway.js
index 2ed5813..0cf9462 100644
--- a/packages/edge-gateway/src/gateway.js
+++ b/packages/edge-gateway/src/gateway.js
@@ -152,22 +152,28 @@ export async function gatewayIpfs(request, env, ctx, options = {}) {
 
     options.onRaceResolution &&
       options.onRaceResolution(winnerGwResponse, gatewayReqs, cid)
+
+    // Add response header
+    const raceResponse = getTransformedResponseWithCustomHeaders(
+      winnerGwResponse.response
+    )
+
     // Cache response
     ctx.waitUntil(
       (async () => {
         const contentLengthMb = Number(
-          winnerGwResponse.response.headers.get('content-length')
+          raceResponse.headers.get('content-length')
         )
 
         // Cache request in Cloudflare CDN if smaller than CF_CACHE_MAX_OBJECT_SIZE
         if (contentLengthMb <= CF_CACHE_MAX_OBJECT_SIZE) {
-          await cache.put(request, winnerGwResponse.response.clone())
+          await cache.put(request, raceResponse.clone())
         }
       })()
     )
 
     // forward winner gateway response
-    return winnerGwResponse.response
+    return raceResponse
   } catch (err) {
     const responses = await pSettle(gatewayReqs)
 
@@ -525,3 +531,22 @@ function getDurableRequestUrl(request, route, data) {
     body: data && JSON.stringify(data),
   })
 }
+
+/**
+ * Transforms race response with custom headers.
+ * Content-Security-Policy header specified to only allow requests within same origin.
+ *
+ * @param {Response} response
+ */
+function getTransformedResponseWithCustomHeaders(response) {
+  const clonedResponse = new Response(response.body, {
+    headers: response.headers,
+  })
+
+  clonedResponse.headers.set(
+    'content-security-policy',
+    "connect-src 'self'; script-src 'self'"
+  )
+
+  return clonedResponse
+}

From df29e914aeb16969fd14461f8f2f4cc436f8cf7f Mon Sep 17 00:00:00 2001
From: Vasco Santos <santos.vasco10@gmail.com>
Date: Fri, 12 Aug 2022 13:07:51 +0200
Subject: [PATCH 2/3] fix: address review

---
 packages/edge-gateway/src/gateway.js | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/packages/edge-gateway/src/gateway.js b/packages/edge-gateway/src/gateway.js
index 0cf9462..d8c590f 100644
--- a/packages/edge-gateway/src/gateway.js
+++ b/packages/edge-gateway/src/gateway.js
@@ -117,7 +117,7 @@ export async function gatewayIpfs(request, env, ctx, options = {}) {
     const responseTime = Date.now() - startTs
 
     options.onCdnResolution && options.onCdnResolution(res, responseTime)
-    return res
+    return getTransformedResponseWithCustomHeaders(res)
   } else if (
     (request.headers.get('Cache-Control') || '').includes('only-if-cached')
   ) {
@@ -152,28 +152,22 @@ export async function gatewayIpfs(request, env, ctx, options = {}) {
 
     options.onRaceResolution &&
       options.onRaceResolution(winnerGwResponse, gatewayReqs, cid)
-
-    // Add response header
-    const raceResponse = getTransformedResponseWithCustomHeaders(
-      winnerGwResponse.response
-    )
-
     // Cache response
     ctx.waitUntil(
       (async () => {
         const contentLengthMb = Number(
-          raceResponse.headers.get('content-length')
+          winnerGwResponse.response.headers.get('content-length')
         )
 
         // Cache request in Cloudflare CDN if smaller than CF_CACHE_MAX_OBJECT_SIZE
         if (contentLengthMb <= CF_CACHE_MAX_OBJECT_SIZE) {
-          await cache.put(request, raceResponse.clone())
+          await cache.put(request, winnerGwResponse.response.clone())
         }
       })()
     )
 
     // forward winner gateway response
-    return raceResponse
+    return getTransformedResponseWithCustomHeaders(winnerGwResponse.response)
   } catch (err) {
     const responses = await pSettle(gatewayReqs)
 
@@ -539,9 +533,7 @@ function getDurableRequestUrl(request, route, data) {
  * @param {Response} response
  */
 function getTransformedResponseWithCustomHeaders(response) {
-  const clonedResponse = new Response(response.body, {
-    headers: response.headers,
-  })
+  const clonedResponse = new Response(response.body, response)
 
   clonedResponse.headers.set(
     'content-security-policy',

From 05b00e94e3243072172033beeb8a1b353438c03a Mon Sep 17 00:00:00 2001
From: Vasco Santos <santos.vasco10@gmail.com>
Date: Fri, 12 Aug 2022 14:51:47 +0200
Subject: [PATCH 3/3] fix: extend csp

---
 packages/edge-gateway/src/gateway.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/edge-gateway/src/gateway.js b/packages/edge-gateway/src/gateway.js
index d8c590f..9a2b65e 100644
--- a/packages/edge-gateway/src/gateway.js
+++ b/packages/edge-gateway/src/gateway.js
@@ -537,7 +537,7 @@ function getTransformedResponseWithCustomHeaders(response) {
 
   clonedResponse.headers.set(
     'content-security-policy',
-    "connect-src 'self'; script-src 'self'"
+    "default-src 'self' 'unsafe-inline' blob: data: ; form-action 'self' ; navigate-to 'self' "
   )
 
   return clonedResponse