From 240dfad1672b2ea80ada87bebf5b17247ac87ee0 Mon Sep 17 00:00:00 2001
From: Jari Kolehmainen <jari.kolehmainen@gmail.com>
Date: Thu, 9 Jun 2022 13:39:37 +0300
Subject: [PATCH] Enable csp on lens proxy (#5581)

* enable csp on lens proxy

Signed-off-by: Jari Kolehmainen <jari.kolehmainen@gmail.com>

* move csp default value to package.json

Signed-off-by: Jari Kolehmainen <jari.kolehmainen@gmail.com>
---
 package.json                      | 3 ++-
 src/common/vars.ts                | 1 +
 src/main/lens-proxy/lens-proxy.ts | 6 +++++-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 2f652eb980..c34198e158 100644
--- a/package.json
+++ b/package.json
@@ -49,7 +49,8 @@
     "k8sProxyVersion": "0.2.1",
     "bundledKubectlVersion": "1.23.3",
     "bundledHelmVersion": "3.7.2",
-    "sentryDsn": ""
+    "sentryDsn": "",
+    "contentSecurityPolicy": "script-src 'unsafe-eval' 'self'; frame-src http://*.localhost:*/; img-src *"
   },
   "engines": {
     "node": ">=16 <17"
diff --git a/src/common/vars.ts b/src/common/vars.ts
index e11e49a7a2..32eda45db6 100644
--- a/src/common/vars.ts
+++ b/src/common/vars.ts
@@ -143,3 +143,4 @@ export const appSemVer = new SemVer(packageInfo.version);
 export const docsUrl = "https://docs.k8slens.dev/main/" as string;
 
 export const sentryDsn = packageInfo.config?.sentryDsn ?? "";
+export const contentSecurityPolicy = packageInfo.config?.contentSecurityPolicy ?? "";
diff --git a/src/main/lens-proxy/lens-proxy.ts b/src/main/lens-proxy/lens-proxy.ts
index 571cbea7b4..5e58104d60 100644
--- a/src/main/lens-proxy/lens-proxy.ts
+++ b/src/main/lens-proxy/lens-proxy.ts
@@ -7,7 +7,7 @@ import net from "net";
 import type http from "http";
 import spdy from "spdy";
 import type httpProxy from "http-proxy";
-import { apiPrefix, apiKubePrefix } from "../../common/vars";
+import { apiPrefix, apiKubePrefix, contentSecurityPolicy } from "../../common/vars";
 import type { Router } from "../router/router";
 import type { ClusterContextHandler } from "../context-handler/context-handler";
 import logger from "../logger";
@@ -239,6 +239,10 @@ export class LensProxy {
       }
     }
 
+    if (contentSecurityPolicy) {
+      res.setHeader("Content-Security-Policy", contentSecurityPolicy);
+    }
+
     this.dependencies.router.route(cluster, req, res);
   }
 }