[MediaWiki-commits] [Gerrit] Update to latest service-template-node - change (mediawiki...graphoid)

Mobrovac (Code Review) Tue, 14 Apr 2015 01:50:58 -0700

Mobrovac has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/204027


Change subject: Update to latest service-template-node
......................................................................

Update to latest service-template-node

Includes:
- configurable CSP headers
- configurable HTTP(S) proxy
- configurable CORS headers

Change-Id: I82b270a27d01f42604ad98b518a98dba8e221bc9
---
M app.js
M lib/util.js
M package.json
M test/features/app/app.js
4 files changed, 52 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/services/graphoid 
refs/changes/27/204027/1

diff --git a/app.js b/app.js
index 88943b1..5f9e033 100644
--- a/app.js
+++ b/app.js
@@ -31,6 +31,31 @@
     if(!app.conf.port) { app.conf.port = 8888; }
     if(!app.conf.interface) { app.conf.interface = '0.0.0.0'; }
     if(!app.conf.compression_level) { app.conf.compression_level = 3; }
+    if(app.conf.cors === undefined) { app.conf.cors = '*'; }
+    if(!app.conf.csp) {
+        app.conf.csp =
+            "default-src 'self'; object-src 'none'; media-src *; img-src *; 
style-src *; frame-ancestors 'self'";
+    }
+
+    // set outgoing proxy
+    if(app.conf.proxy) {
+        process.env.HTTP_PROXY = app.conf.proxy;
+    }
+
+    // set the CORS and CSP headers
+    app.all('*', function(req, res, next) {
+        if(app.conf.cors !== false) {
+            res.header('Access-Control-Allow-Origin', app.conf.cors);
+            res.header('Access-Control-Allow-Headers', 'Accept, 
X-Requested-With, Content-Type');
+        }
+        res.header('X-XSS-Protection', '1; mode=block');
+        res.header('X-Content-Type-Options', 'nosniff');
+        res.header('X-Frame-Options', 'SAMEORIGIN');
+        res.header('Content-Security-Policy', app.conf.csp);
+        res.header('X-Content-Security-Policy', app.conf.csp);
+        res.header('X-WebKit-CSP', app.conf.csp);
+        next();
+    });
 
     // disable the X-Powered-By header
     app.set('x-powered-by', false);
diff --git a/lib/util.js b/lib/util.js
index 58ed1e3..fb83c9c 100644
--- a/lib/util.js
+++ b/lib/util.js
@@ -190,8 +190,8 @@
             level = 'info';
         }
         // log the error
-        req.logger.log(level +
-                (errObj.component ? '/' + errObj.component : '/' + 
errObj.status),
+        req.logger.log(level + '/' +
+                (errObj.component ? errObj.component : errObj.status),
                 errForLog(errObj));
         // let through only non-sensitive info
         var respBody = {
diff --git a/package.json b/package.json
index bbd3a0e..e352bf2 100644
--- a/package.json
+++ b/package.json
@@ -40,7 +40,7 @@
     "js-yaml": "^3.2.7",
     "node-uuid": "^1.4.3",
     "preq": "^0.3.12",
-    "service-runner": "^0.1.5"
+    "service-runner": "^0.1.6"
   },
   "devDependencies": {
     "assert": "^1.3.0",
diff --git a/test/features/app/app.js b/test/features/app/app.js
index c7fb08c..6df85b4 100644
--- a/test/features/app/app.js
+++ b/test/features/app/app.js
@@ -25,6 +25,30 @@
         });
     });
 
+    it('should set CORS headers', function() {
+        return preq.get({
+            uri: server.config.uri + 'robots.txt'
+        }).then(function(res) {
+            assert.deepEqual(res.status, 200);
+            assert.deepEqual(res.headers['access-control-allow-origin'], '*');
+            assert.notDeepEqual(res.headers['access-control-allow-headers'], 
undefined);
+        });
+    });
+
+    it('should set CSP headers', function() {
+        return preq.get({
+            uri: server.config.uri + 'robots.txt'
+        }).then(function(res) {
+            assert.deepEqual(res.status, 200);
+            assert.deepEqual(res.headers['x-xss-protection'], '1; mode=block');
+            assert.deepEqual(res.headers['x-content-type-options'], 'nosniff');
+            assert.deepEqual(res.headers['x-frame-options'], 'SAMEORIGIN');
+            assert.deepEqual(res.headers['content-security-policy'], 
'default-src');
+            assert.deepEqual(res.headers['x-content-security-policy'], 
'default-src');
+            assert.deepEqual(res.headers['x-webkit-csp'], 'default-src');
+        });
+    });
+
     it('should get static content gzipped', function() {
         return preq.get({
             uri: server.config.uri + 'static/index.html',

-- 
To view, visit https://gerrit.wikimedia.org/r/204027
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I82b270a27d01f42604ad98b518a98dba8e221bc9
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/services/graphoid
Gerrit-Branch: master
Gerrit-Owner: Mobrovac <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Update to latest service-template-node - change (mediawiki...graphoid)

Reply via email to