forked from shapeshift/web
-
Notifications
You must be signed in to change notification settings - Fork 0
/
headers.js
88 lines (84 loc) · 4.7 KB
/
headers.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
require('dotenv').config()
const cspMeta = Object.entries({
'default-src': ["'self'"],
'child-src': ["'self'", "blob:", "'report-sample'"],
'connect-src': [
"'self'",
// @shapeshiftoss/[email protected]: https://github.com/shapeshift/lib/blob/f833ac7f8c70dee801eaa24525336ca6992e5903/packages/swapper/src/swappers/zrx/utils/zrxService.ts#L4
'https://api.0x.org',
// @shapeshiftoss/[email protected]: https://github.com/shapeshift/lib/blob/476550629be9485bfc089decc4df85456968464a/packages/chain-adapters/src/ethereum/EthereumChainAdapter.ts#L226
'https://gas.api.0x.org',
// @shapeshiftoss/[email protected]: https://github.com/shapeshift/lib/blob/1689995812e81a866e2c60150bdbb9afc7ce32b9/packages/caip/src/adapters/coingecko/index.ts#L5
// @shapeshiftoss/[email protected]: https://github.com/shapeshift/lib/blob/636c6c9460ac5ae4d1189165eddd3a105406e0ef/packages/asset-service/src/service/AssetService.ts#L130
// @shapeshiftoss/[email protected]: https://github.com/shapeshift/lib/blob/9123527ebbcf0fd62a619ab2824d970123bd5ac2/packages/market-service/src/coingecko/coingecko.ts#L37
'https://api.coingecko.com',
// @shapeshiftoss/[email protected]: https://github.com/shapeshift/lib/blob/636c6c9460ac5ae4d1189165eddd3a105406e0ef/packages/asset-service/src/generateAssetData/ethTokens/extendErc20.ts#L45
// @shapeshiftoss/[email protected]: https://github.com/shapeshift/lib/blob/9123527ebbcf0fd62a619ab2824d970123bd5ac2/packages/market-service/src/yearn/yearn.ts#L30
'https://api.yearn.finance',
// @yfi/[email protected]: https://github.com/yearn/yearn-sdk/blob/0a85ae7be734ba594b8b7e4a290e631610a3b399/src/context.ts#L66
'https://test-api.yearn.network/v1/',
// @yfi/[email protected]: https://github.com/yearn/yearn-sdk/blob/0a85ae7be734ba594b8b7e4a290e631610a3b399/src/services/subgraph/index.ts#L9-L29
'https://api.thegraph.com/subgraphs/name/salazarguille/yearn-vaults-v2-subgraph-mainnet',
// @yfi/[email protected]: https://github.com/yearn/yearn-sdk/blob/0a85ae7be734ba594b8b7e4a290e631610a3b399/src/services/assets.ts#L7
'https://raw.githubusercontent.com/yearn/yearn-assets/',
// @yfi/[email protected]: https://github.com/yearn/yearn-sdk/blob/0a85ae7be734ba594b8b7e4a290e631610a3b399/src/services/assets.ts#L17
'https://raw.githack.com/trustwallet/assets/',
// @yfi/[email protected]: https://github.com/yearn/yearn-sdk/blob/0a85ae7be734ba594b8b7e4a290e631610a3b399/src/services/assets.ts#L13
'https://api.github.com/repos/yearn/yearn-assets/',
// @shapeshiftoss/[email protected]: https://github.com/shapeshift/lib/blob/5a378b186bf943c9f5e5342e1333b9fbc7c0deaf/packages/caip/src/adapters/coincap/index.ts#L5
'https://api.coincap.io/v2/assets',
// @shapeshiftoss/[email protected]: https://github.com/shapeshift/lib/blob/9123527ebbcf0fd62a619ab2824d970123bd5ac2/packages/market-service/src/coincap/coincap.ts#L21
'https://api.coincap.io/v2/assets/',
process.env.REACT_APP_ETHEREUM_NODE_URL,
process.env.REACT_APP_UNCHAINED_ETHEREUM_HTTP_URL,
process.env.REACT_APP_UNCHAINED_ETHEREUM_WS_URL,
process.env.REACT_APP_UNCHAINED_BITCOIN_HTTP_URL,
process.env.REACT_APP_UNCHAINED_BITCOIN_WS_URL
],
'frame-src': [
'https://fwd.metamask.io/',
'https://widget.portis.io'
],
'img-src': [
"'self'",
'data:',
'blob:',
'filesystem:',
'https://assets.coincap.io/assets/icons/',
'https://static.coincap.io/assets/icons/',
'https://assets.coingecko.com/coins/images/',
'https://rawcdn.githack.com/yearn/yearn-assets/'
],
'script-src': [
"'self'",
'blob:',
"'unsafe-eval'", //TODO: There are still a couple of libraries we depend on that use eval; notably amqp-ts and google-protobuf.
"'unsafe-inline'", //TODO: The only inline code we need is the stub injected by Metamask. We can fix this by including the stub in our own bundle.
"'report-sample'"
],
'style-src': ["'self'", "'unsafe-inline'", "'report-sample'"],
'base-uri': ["'none'"],
'object-src': ["'none'"]
})
.map(([k, v]) => `${[k, ...v].join(' ')}`)
.join('; ')
const headers = {
'Cache-Control': 'no-transform', // This will prevent middleboxes from munging our JS and breaking SRI if we're ever served over HTTP
'Content-Security-Policy': `${cspMeta}; frame-ancestors 'none'`, // `; report-uri https://shapeshift.report-uri.com/r/d/csp/wizard`,
'Cross-Origin-Opener-Policy': 'same-origin-allow-popups',
'Permissions-Policy': 'document-domain=()',
'Referrer-Policy': 'no-referrer',
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'DENY'
}
module.exports = {
headers,
cspMeta
}
if (module.parent) return
require('fs').writeFileSync(
'./build/_headers',
`/*\n${Object.entries(headers)
.map(([k, v]) => ` ${k}: ${v}\n`)
.join('')}`
)