Content Security Policy (CSP)
To aid in the process of securing against Cross-Site Scripting Attacks (XSS), Joystick offers a thin abstraction around Content-Security Policy (CSP) making it easy to define and set directives for the Content-Security-Policy
header (Joystick implements this as a middleware that applies to all requests). CSP is a standard approach in browsers for specifying which origins are allowed to load content on your site.
In your app, CSP directives are defined via the csp
object passed via the options object to joystick.app()
:
/index.server.js
import joystick from '@joystick.js/node';
joystick.app({
csp: {
directives: {
'font-src': ['fonts.gstatic.com'],
'style-src': ['fonts.googleapis.com'],
},
},
});
Above, we're adding two CSP directives—font-src
and style-src
—and assigning both an array containing strings for origins we want to allow to load those specific source types. Here, our example is for allowing the CDN-hosted version of Google Fonts on our page. If we were to omit these origins, assuming we were using a Google Fonts CDN link somewhere in our site, on page load the browser would block those URLs and our fonts would not work (only if the csp
option is passed to our joystick.app()
options—if not, the URLs would not be blocked).
'self' is included automatically
By default, Joystick automatically adds 'self'
to the origins array for all directives (meaning, you're only responsible for specifying origins outside of your app's current origin).
Unrestricted Origins
When you add one or more Content Security Policy (CSP) directives, Joystick will automatically enable all CSP directives available. By default, for all directives, the only origin specified is 'self'
(the current domain). Beyond this, you will need to specify which origins/domains are allowed to have their content loaded on the page.
To avoid the tedium of doing so, for trusted domains (e.g., google.com
), the csp.unrestricted_origins
array can be utilized. Any domain/origin added to this array is automatically added to all CSP directives for your app.
/index.server.js
import joystick from '@joystick.js/node';
joystick.app({
csp: {
unrestricted_origins: ['fonts.gstatic.com', 'fonts.googleapis.com'],
directives: {
...
},
},
});
API Reference
CSP Definition API
CSP Definition API
{
csp: {
unrestricted_origins: array[string],
directives: object,
}
}
Properties
-
unrestricted_origins array[string]
An array of strings specifying origins (domains) that should not have any of their URLs restricted by the Content Security Policy.
-
directives object
An object containing key/value pairs where the
key
is the name of a Content Security Policy Directive and the value is an array of strings specifying origins that should be allowed for that type of URL.