OpenSource
/
dify
关注 4
点赞 0
派生 0
代码 工单 0 合并请求 0 版本发布 152 百科 动态
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
3541 提交
4 分支
目录树: f4ce08211d
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 'f4ce08211d'
${ noResults }
dify/web/middleware.ts

middleware.ts 2.4KB
原始文件 普通视图 文件历史

feat: support csp (#9111) Co-authored-by: Joel <iamjoel007@gmail.com>
1年前
 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576 
  1. import type { NextRequest } from 'next/server'

  2. import { NextResponse } from 'next/server'

  3. 

  4. const NECESSARY_DOMAIN = '*.sentry.io http://localhost:* http://127.0.0.1:* https://analytics.google.com https://googletagmanager.com https://api.github.com'

  5. 

  6. export function middleware(request: NextRequest) {

  7.   const isWhiteListEnabled = !!process.env.NEXT_PUBLIC_CSP_WHITELIST && process.env.NODE_ENV === 'production'

  8.   if (!isWhiteListEnabled)

  9.     return NextResponse.next()

  10. 

  11.   const whiteList = `${process.env.NEXT_PUBLIC_CSP_WHITELIST} ${NECESSARY_DOMAIN}`

  12.   const nonce = Buffer.from(crypto.randomUUID()).toString('base64')

  13.   const csp = `'nonce-${nonce}'`

  14. 

  15.   const scheme_source = 'data: mediastream: blob: filesystem:'

  16. 

  17.   const cspHeader = `

  18.     default-src 'self' ${scheme_source} ${csp} ${whiteList};

  19.     connect-src 'self' ${scheme_source} ${csp} ${whiteList};

  20.     script-src 'self' ${scheme_source} ${csp} ${whiteList};

  21.     style-src 'self' 'unsafe-inline' ${scheme_source} ${whiteList};

  22.     worker-src 'self' ${scheme_source} ${csp} ${whiteList};

  23.     media-src 'self' ${scheme_source} ${csp} ${whiteList};

  24.     img-src 'self' ${scheme_source} ${csp} ${whiteList};

  25.     font-src 'self';

  26.     object-src 'none';

  27.     base-uri 'self';

  28.     form-action 'self';

  29.     upgrade-insecure-requests;

  30. `

  31.   // Replace newline characters and spaces

  32.   const contentSecurityPolicyHeaderValue = cspHeader

  33.     .replace(/\s{2,}/g, ' ')

  34.     .trim()

  35. 

  36.   const requestHeaders = new Headers(request.headers)

  37.   requestHeaders.set('x-nonce', nonce)

  38. 

  39.   requestHeaders.set(

  40.     'Content-Security-Policy',

  41.     contentSecurityPolicyHeaderValue,

  42.   )

  43. 

  44.   const response = NextResponse.next({

  45.     request: {

  46.       headers: requestHeaders,

  47.     },

  48.   })

  49.   response.headers.set(

  50.     'Content-Security-Policy',

  51.     contentSecurityPolicyHeaderValue,

  52.   )

  53. 

  54.   return response

  55. }

  56. 

  57. export const config = {

  58.   matcher: [

  59.     /*

  60.      * Match all request paths except for the ones starting with:

  61.      * - api (API routes)

  62.      * - _next/static (static files)

  63.      * - _next/image (image optimization files)

  64.      * - favicon.ico (favicon file)

  65.      */

  66.     {

  67.       // source: '/((?!api|_next/static|_next/image|favicon.ico).*)',

  68.       source: '/((?!_next/static|_next/image|favicon.ico).*)',

  69.       // source: '/(.*)',

  70.       // missing: [

  71.       //   { type: 'header', key: 'next-router-prefetch' },

  72.       //   { type: 'header', key: 'purpose', value: 'prefetch' },

  73.       // ],

  74.     },

  75.   ],

  76. }