added csp directives

mozilla · Jul 12, 2017 · 9234bce · 9234bce
1 parent b32e63c
commit 9234bce
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 12 deletions.
diff --git a/frontend/src/download.js b/frontend/src/download.js
@@ -9,7 +9,8 @@ $(document).ready(function() {
   $('#send-file').click(() => {
     window.location.replace(`${window.location.origin}`);
   });
-  const download = () => {
+  $('#download-btn').click(download);
+  function download() {
     const fileReceiver = new FileReceiver();
     const name = document.createElement('p');
     const $btn = $('#download-btn');
@@ -84,7 +85,5 @@ $(document).ready(function() {
         Raven.captureException(err);
         return Promise.reject(err);
       });
-  };
-
-  window.download = download;
+  }
 });
diff --git a/frontend/src/upload.js b/frontend/src/upload.js
@@ -10,6 +10,8 @@ $(document).ready(function() {
     $('#compliance-error').show();
   });
 
+  $('#file-upload').change(onUpload);
+  $('#page-one').on('dragover', allowDrop).on('drop', onUpload);
   // reset copy button
   const $copyBtn = $('#copy-btn');
   $copyBtn.attr('disabled', false);
@@ -61,11 +63,11 @@ $(document).ready(function() {
   });
 
   // on file upload by browse or drag & drop
-  window.onUpload = event => {
+  function onUpload(event) {
     event.preventDefault();
     let file = '';
     if (event.type === 'drop') {
-      file = event.dataTransfer.files[0];
+      file = event.originalEvent.dataTransfer.files[0];
     } else {
       file = event.target.files[0];
     }
@@ -143,11 +145,11 @@ $(document).ready(function() {
         $('#page-one').hide();
         $('#upload-error').show();
       });
-  };
+  }
 
-  window.allowDrop = function(ev) {
+  function allowDrop(ev) {
     ev.preventDefault();
-  };
+  }
 
   function checkExistence(id, populate) {
     const xhr = new XMLHttpRequest();

diff --git a/server/server.js b/server/server.js
@@ -32,6 +32,30 @@ app.engine(
 app.set('view engine', 'handlebars');
 
 app.use(helmet());
+app.use(
+  helmet.contentSecurityPolicy({
+    directives: {
+      defaultSrc: ['\'self\''],
+      connectSrc: [
+        '\'self\'',
+        'https://sentry.prod.mozaws.net',
+        'https://www.google-analytics.com',
+        'https://ssl.google-analytics.com'
+      ],
+      imgSrc: [
+        '\'self\'',
+        'https://www.google-analytics.com',
+        'https://ssl.google-analytics.com'
+      ],
+      scriptSrc: ['\'self\'', 'https://ssl.google-analytics.com'],
+      styleSrc: ['\'self\'', 'https://code.cdn.mozilla.net'],
+      fontSrc: ['\'self\'', 'https://code.cdn.mozilla.net'],
+      formAction: ['\'none\''],
+      frameAncestors: ['\'none\''],
+      objectSrc: ['\'none\'']
+    }
+  })
+);
 app.use(busboy());
 app.use(bodyParser.json());
 app.use(express.static(STATIC_PATH));

diff --git a/views/download.handlebars b/views/download.handlebars
@@ -23,7 +23,7 @@
       </div>
       <div id="download-page-one">
         <div>
-          <button id="download-btn" onclick="download()">Download File</button>
+          <button id="download-btn">Download File</button>
         </div>
         <div id='expired-img'>
           <img src='/resources/link_expired.png' />

diff --git a/views/index.handlebars b/views/index.handlebars
@@ -19,7 +19,7 @@
       <div class="title">
         Share your files quickly, privately and securely.
       </div>
-      <div class="upload-window" ondrop="onUpload(event)" ondragover="allowDrop(event)">
+      <div class="upload-window">
         <div id="upload-img"><img src="/resources/upload.svg" alt="Upload"/></div>
         <div>
           DRAG &amp; DROP
@@ -31,7 +31,7 @@
           <div id="browse">
             <form method="post" action="upload" enctype="multipart/form-data">
               <label for="file-upload" class="file-upload">browse</label>
-              <input id="file-upload" type="file" onchange="onUpload(event)" name="fileUploaded" />
+              <input id="file-upload" type="file" name="fileUploaded" />
             </form>
           </div>
         </div>