csp.tsx 5.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170
  1. import Access from 'sentry/components/acl/access';
  2. import Form from 'sentry/components/forms/form';
  3. import JsonForm from 'sentry/components/forms/jsonForm';
  4. import ExternalLink from 'sentry/components/links/externalLink';
  5. import LoadingError from 'sentry/components/loadingError';
  6. import LoadingIndicator from 'sentry/components/loadingIndicator';
  7. import Panel from 'sentry/components/panels/panel';
  8. import PanelBody from 'sentry/components/panels/panelBody';
  9. import PanelHeader from 'sentry/components/panels/panelHeader';
  10. import PreviewFeature from 'sentry/components/previewFeature';
  11. import SentryDocumentTitle from 'sentry/components/sentryDocumentTitle';
  12. import formGroups from 'sentry/data/forms/cspReports';
  13. import {t, tct} from 'sentry/locale';
  14. import type {Project, ProjectKey} from 'sentry/types';
  15. import {useApiQuery} from 'sentry/utils/queryClient';
  16. import routeTitleGen from 'sentry/utils/routeTitle';
  17. import useOrganization from 'sentry/utils/useOrganization';
  18. import {useParams} from 'sentry/utils/useParams';
  19. import SettingsPageHeader from 'sentry/views/settings/components/settingsPageHeader';
  20. import ReportUri, {
  21. getSecurityDsn,
  22. } from 'sentry/views/settings/projectSecurityHeaders/reportUri';
  23. function getInstructions(keyList: ProjectKey[]) {
  24. return (
  25. 'def middleware(request, response):\n' +
  26. " response['Content-Security-Policy'] = \\\n" +
  27. ' "default-src *; " \\\n' +
  28. " \"script-src 'self' 'unsafe-eval' 'unsafe-inline' cdn.example.com cdn.ravenjs.com; \" \\\n" +
  29. " \"style-src 'self' 'unsafe-inline' cdn.example.com; \" \\\n" +
  30. ' "img-src * data:; " \\\n' +
  31. ' "report-uri ' +
  32. getSecurityDsn(keyList) +
  33. '"\n' +
  34. ' return response\n'
  35. );
  36. }
  37. function getReportOnlyInstructions(keyList: ProjectKey[]) {
  38. return (
  39. 'def middleware(request, response):\n' +
  40. " response['Content-Security-Policy-Report-Only'] = \\\n" +
  41. ' "default-src \'self\'; " \\\n' +
  42. ' "report-uri ' +
  43. getSecurityDsn(keyList) +
  44. '"\n' +
  45. ' return response\n'
  46. );
  47. }
  48. export default function ProjectCspReports() {
  49. const organization = useOrganization();
  50. const params = useParams();
  51. const projectId = params.projectId;
  52. const {
  53. data: keyList,
  54. isLoading: isLoadingKeyList,
  55. isError: isKeyListError,
  56. refetch: refetchKeyList,
  57. } = useApiQuery<ProjectKey[]>([`/projects/${organization.slug}/${projectId}/keys/`], {
  58. staleTime: 0,
  59. });
  60. const {
  61. data: project,
  62. isLoading: isLoadingProject,
  63. isError: isProjectError,
  64. refetch: refetchProject,
  65. } = useApiQuery<Project>([`/projects/${organization.slug}/${projectId}/`], {
  66. staleTime: 0,
  67. });
  68. if (isLoadingKeyList || isLoadingProject) {
  69. return <LoadingIndicator />;
  70. }
  71. if (isKeyListError || isProjectError) {
  72. return (
  73. <LoadingError
  74. onRetry={() => {
  75. refetchKeyList();
  76. refetchProject();
  77. }}
  78. />
  79. );
  80. }
  81. return (
  82. <div>
  83. <SentryDocumentTitle
  84. title={routeTitleGen(t('Content Security Policy (CSP)'), projectId, false)}
  85. />
  86. <SettingsPageHeader title={t('Content Security Policy')} />
  87. <PreviewFeature />
  88. <ReportUri keyList={keyList} orgId={organization.slug} projectId={projectId} />
  89. <Form
  90. saveOnBlur
  91. apiMethod="PUT"
  92. initialData={project.options}
  93. apiEndpoint={`/projects/${organization.slug}/${projectId}/`}
  94. >
  95. <Access access={['project:write']}>
  96. {({hasAccess}) => <JsonForm disabled={!hasAccess} forms={formGroups} />}
  97. </Access>
  98. </Form>
  99. <Panel>
  100. <PanelHeader>{t('About')}</PanelHeader>
  101. <PanelBody withPadding>
  102. <p>
  103. {tct(
  104. `[link:Content Security Policy]
  105. (CSP) is a security standard which helps prevent cross-site scripting (XSS),
  106. clickjacking and other code injection attacks resulting from execution of
  107. malicious content in the trusted web page context. It's enforced by browser
  108. vendors, and Sentry supports capturing CSP violations using the standard
  109. reporting hooks.`,
  110. {
  111. link: (
  112. <ExternalLink href="https://en.wikipedia.org/wiki/Content_Security_Policy" />
  113. ),
  114. }
  115. )}
  116. </p>
  117. <p>
  118. {tct(
  119. `To configure [csp:CSP] reports
  120. in Sentry, you'll need to send a header from your server describing your
  121. policy, as well specifying the authenticated Sentry endpoint.`,
  122. {
  123. csp: <abbr title="Content Security Policy" />,
  124. }
  125. )}
  126. </p>
  127. <p>
  128. {t(
  129. 'For example, in Python you might achieve this via a simple web middleware'
  130. )}
  131. </p>
  132. <pre>{getInstructions(keyList)}</pre>
  133. <p>
  134. {t(`Alternatively you can setup CSP reports to simply send reports rather than
  135. actually enforcing the policy`)}
  136. </p>
  137. <pre>{getReportOnlyInstructions(keyList)}</pre>
  138. <p>
  139. {tct(
  140. `We recommend setting this up to only run on a percentage of requests, as
  141. otherwise you may find that you've quickly exhausted your quota. For more
  142. information, take a look at [link:the article on html5rocks.com].`,
  143. {
  144. link: (
  145. <ExternalLink href="http://www.html5rocks.com/en/tutorials/security/content-security-policy/" />
  146. ),
  147. }
  148. )}
  149. </p>
  150. </PanelBody>
  151. </Panel>
  152. </div>
  153. );
  154. }