Merge branch 'release-2.8.x' into fix-env-conflicts

lerna.json

@@ -3,7 +3,7 @@
   "packages": [
     "packages/*"
   ],
-  "version": "2.8.0",
+  "version": "2.8.1",
   "publish": {
     "allowBranch": [
       "master"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "pwa-kit",
-  "version": "2.8.0",
+  "version": "2.8.1",
   "engines": {
     "node": "^14.0.0 || ^16.0.0 || ^18.0.0",
     "npm": "^6.14.4 || ^7.0.0 || ^8.0.0 || ^9.0.0"

packages/internal-lib-build/package.json

@@ -1,6 +1,6 @@
 {
   "name": "internal-lib-build",
-  "version": "2.8.0",
+  "version": "2.8.1",
   "engines": {
     "node": "^14.0.0 || ^16.0.0 || ^18.0.0",
     "npm": "^6.14.4 || ^7.0.0 || ^8.0.0 || ^9.0.0"

packages/pwa-kit-create-app/CHANGELOG.md

@@ -1,3 +1,4 @@
+## v2.8.1 (Nov 8, 2023)
 ## v2.8.0 (Nov 3, 2023)
 ## v2.7.1 (May 11, 2023)
 

packages/pwa-kit-create-app/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pwa-kit-create-app",
-  "version": "2.8.0",
+  "version": "2.8.1",
   "description": "Salesforce's project generator tool",
   "author": "[email protected]",
   "license": "See license in LICENSE",
@@ -39,7 +39,7 @@
     "tar": "^6.1.13"
   },
   "devDependencies": {
-    "internal-lib-build": "^2.8.0",
+    "internal-lib-build": "^2.8.1",
     "verdaccio": "^5.22.1"
   }
 }

packages/pwa-kit-dev/CHANGELOG.md

@@ -1,3 +1,4 @@
+## v2.8.1 (Nov 08, 2023)
 ## v2.8.0 (Nov 03, 2023)
 ## v2.7.4 (Aug 28, 2023)
 - Fix performance issue caused by potentially large amounts of stats data from webpack [#1391](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/1391/files)

packages/pwa-kit-dev/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pwa-kit-dev",
-  "version": "2.8.0",
+  "version": "2.8.1",
   "description": "Build tools for pwa-kit",
   "repository": {
     "type": "git",
@@ -90,7 +90,7 @@
     "minimatch": "3.1.2",
     "open": "^8.4.2",
     "prettier": "^2.8.6",
-    "pwa-kit-runtime": "^2.8.0",
+    "pwa-kit-runtime": "^2.8.1",
     "react-refresh": "^0.14.0",
     "replace-in-file": "^6.3.5",
     "request": "^2.88.0",
@@ -111,7 +111,7 @@
   },
   "devDependencies": {
     "@loadable/component": "^5.15.3",
-    "internal-lib-build": "^2.8.0",
+    "internal-lib-build": "^2.8.1",
     "nock": "^13.3.0",
     "superagent": "^6.1.0",
     "supertest": "^4.0.2"

packages/pwa-kit-react-sdk/CHANGELOG.md

@@ -1,3 +1,4 @@
+## v2.8.1 (Nov 08, 2023)
 ## v2.8.0 (Nov 03, 2023)
 -   Support Storefront Preview 
     - [#1442](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/1442)

packages/pwa-kit-react-sdk/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pwa-kit-react-sdk",
-  "version": "2.8.0",
+  "version": "2.8.1",
   "description": "A library that supports the isomorphic React rendering pipeline for Commerce Cloud Managed Runtime apps",
   "engines": {
     "node": "^14.0.0 || ^16.0.0 || ^18.0.0",
@@ -49,7 +49,7 @@
     "event-emitter": "^0.3.5",
     "hoist-non-react-statics": "^3.3.2",
     "prop-types": "^15.8.1",
-    "pwa-kit-runtime": "^2.8.0",
+    "pwa-kit-runtime": "^2.8.1",
     "react-ssr-prepass": "^1.5.0",
     "react-uid": "^2.3.2",
     "serialize-javascript": "^6.0.1",
@@ -60,7 +60,7 @@
     "@loadable/component": "^5.15.3",
     "@wojtekmaj/enzyme-adapter-react-17": "^0.8.0",
     "enzyme": "^3.11.0",
-    "internal-lib-build": "^2.8.0",
+    "internal-lib-build": "^2.8.1",
     "node-html-parser": "^3.3.6",
     "react": "^17.0.2",
     "react-dom": "^17.0.2",

packages/pwa-kit-runtime/CHANGELOG.md

@@ -1,43 +1,62 @@
+## v2.8.1 (Nov 08, 2023)
+
+- Revert mandatory enforcement of Content-Security-Policy headers. Provide middleware as an opt-in replacement. [#1530](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/1530)
+
+```js
+// your-project/app/ssr.js
+import {defaultPwaKitSecurityHeaders} from '@salesforce/pwa-kit-runtime/utils/middleware'
+const {handler} = runtime.createHandler(options, (app) => {
+    app.use(defaultPwaKitSecurityHeaders)
+    // ...
+}
+```
+
 ## v2.8.0 (Nov 03, 2023)
--   Move Content-Security-Policy logic into pwa-kit-runtime [#1491](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/1491)
+
+- Move Content-Security-Policy logic into pwa-kit-runtime [#1491](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/1491)
+
 ## v2.7.4 (Aug 28, 2023)
+
 ## v2.7.3 (Jun 20, 2023)
--   Support Node 18 and NPM 9. [#1265](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/1265)
+
+- Support Node 18 and NPM 9. [#1265](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/1265)
+
 ## v2.7.2 (May 29, 2023)
+
 ## v2.7.1 (May 11, 2023)
 
--   Add optional parameter to override configuration folder used in `getConfig` [#1049](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/1049)
--   Moved the MRT reference app to the SDKs, so that we can verify eg. Node support [#966](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/966)
+- Add optional parameter to override configuration folder used in `getConfig` [#1049](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/1049)
+- Moved the MRT reference app to the SDKs, so that we can verify eg. Node support [#966](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/966)
 
 ## v2.7.0 (Mar 03, 2023)
 
--   Support Node 16 [#965](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/965)
+- Support Node 16 [#965](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/965)
 
 ## v2.6.0 (Jan 25, 2023)
 
--   Security package updates
+- Security package updates
 
 ## v2.5.0 (Jan 05, 2023)
 
--   Logging cid from res header isntead of req in local development [#821](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/821)
--   Replace morgan stream to use console.log [#847](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/847)
+- Logging cid from res header isntead of req in local development [#821](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/821)
+- Replace morgan stream to use console.log [#847](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/847)
 
 ## v2.4.0 (Dec 01, 2022)
 
 ## v2.3.0 (Oct 27, 2022)
 
--   Performance: Skip retries when flushing CloudWatch metrics, prioritize returning a response instead. [720](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/720)
--   Add Correlation ID to SCAPI requests. [#728](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/728)
+- Performance: Skip retries when flushing CloudWatch metrics, prioritize returning a response instead. [720](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/720)
+- Add Correlation ID to SCAPI requests. [#728](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/728)
 
 ## v2.2.0 (Aug 25, 2022)
 
 ## v2.1.0 (Jul 05, 2022)
 
 ## v2.0.0 (May 16, 2022)
 
--   Drop node 12 support for [#589](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/589)
--   Improve test coverage [#550](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/550)
--   Make the createApp API idiomatic for Express, fix service-worker loading. [#536](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/536)
--   Add environment specific configuration support via `getConfig`. [#447](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/447)
--   Remove legacy remote proxy, which allowed remote environments to use proxy configs in package.json [#425](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/425)
--   Remove default `body-parser` middleware from express server. [#444](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/444)
+- Drop node 12 support for [#589](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/589)
+- Improve test coverage [#550](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/550)
+- Make the createApp API idiomatic for Express, fix service-worker loading. [#536](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/536)
+- Add environment specific configuration support via `getConfig`. [#447](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/447)
+- Remove legacy remote proxy, which allowed remote environments to use proxy configs in package.json [#425](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/425)
+- Remove default `body-parser` middleware from express server. [#444](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/444)

packages/pwa-kit-runtime/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pwa-kit-runtime",
-  "version": "2.8.0",
+  "version": "2.8.1",
   "description": "The PWAKit Runtime",
   "repository": {
     "type": "git",
@@ -50,15 +50,15 @@
     "@serverless/event-mocks": "^1.1.1",
     "aws-lambda-mock-context": "^3.2.1",
     "fs-extra": "^10.1.0",
-    "internal-lib-build": "^2.8.0",
+    "internal-lib-build": "^2.8.1",
     "nock": "^13.3.0",
     "sinon": "^13.0.2",
     "superagent": "^6.1.0",
     "supertest": "^4.0.2",
     "watch": "1.0.2"
   },
   "peerDependencies": {
-    "pwa-kit-dev": "^2.8.0"
+    "pwa-kit-dev": "^2.8.1"
   },
   "peerDependenciesMeta": {
     "pwa-kit-dev": {

packages/pwa-kit-runtime/src/ssr/server/build-remote-server.js

@@ -11,9 +11,7 @@ import {
     X_MOBIFY_QUERYSTRING,
     SET_COOKIE,
     CACHE_CONTROL,
-    NO_CACHE,
-    CONTENT_SECURITY_POLICY,
-    STRICT_TRANSPORT_SECURITY
+    NO_CACHE
 } from './constants'
 import {
     catchAndLog,
@@ -598,7 +596,6 @@ export const RemoteServerFactory = {
 
         // Apply the SSR middleware to any subsequent routes that we expect users
         // to add in their projects, like in any regular Express app.
-        app.use(enforceSecurityHeaders) // Must be AFTER prepNonProxyRequest, as they both modify setHeader.
         app.use(ssrMiddleware)
         app.use(errorHandlerMiddleware)
 
@@ -919,105 +916,6 @@ export const RemoteServerFactory = {
     }
 }
 
-/**
- * Patches `res.setHeader` to ensure that the Content-Security-Policy header always includes the
- * directives required for PWA Kit to work.
- * @param {express.Request} req Express request object
- * @param {express.Response} res Express response object
- * @param {express.NextFunction} next Express next callback
- */
-export const enforceSecurityHeaders = (req, res, next) => {
-    /** CSP-compatible origin for Runtime Admin. */
-    // localhost doesn't include a protocol because different browsers behave differently :\
-    const runtimeAdmin = isRemote() ? 'https://runtime.commercecloud.com' : 'localhost:*'
-    /**
-     * Map of directive names/values that are required for PWA Kit to work. Array values will be
-     * merged with user-provided values; boolean values will replace user-provided values.
-     * @type Object.<string, string[] | boolean>
-     */
-    const directives = {
-        'connect-src': ["'self'", runtimeAdmin],
-        'frame-ancestors': [runtimeAdmin],
-        'img-src': ["'self'", 'data:'],
-        'script-src': ["'self'", "'unsafe-eval'", runtimeAdmin],
-        // Always upgrade insecure requests when deployed, never upgrade on local dev server
-        'upgrade-insecure-requests': isRemote()
-    }
-
-    const setHeader = res.setHeader
-    res.setHeader = (name, value) => {
-        let modifiedValue = value
-        switch (name?.toLowerCase()) {
-            case CONTENT_SECURITY_POLICY: {
-                // If multiple Content-Security-Policy headers are provided, then the most restrictive
-                // option is chosen for each directive. Therefore, we must modify *all* directives to
-                // ensure that our required directives will work as expected.
-                // Ref: https://w3c.github.io/webappsec-csp/#multiple-policies
-                modifiedValue = Array.isArray(value)
-                    ? value.map((item) => modifyDirectives(item, directives))
-                    : modifyDirectives(value, directives)
-                break
-            }
-            case STRICT_TRANSPORT_SECURITY: {
-                // Block setting this header on local development server - it will break things!
-                if (!isRemote()) return
-                break
-            }
-            default: {
-                break
-            }
-        }
-        return setHeader.call(res, name, modifiedValue)
-    }
-    // Provide an initial CSP (or patch the existing header)
-    res.setHeader(CONTENT_SECURITY_POLICY, res.getHeader(CONTENT_SECURITY_POLICY) ?? '')
-    // Provide an initial value for HSTS, if not already set - use default from `helmet`
-    if (!res.hasHeader(STRICT_TRANSPORT_SECURITY)) {
-        res.setHeader(STRICT_TRANSPORT_SECURITY, 'max-age=15552000; includeSubDomains')
-    }
-    next()
-}
-
-/**
- * Updates the given Content-Security-Policy header to include all directives required by PWA Kit.
- * @param {string} original Original Content-Security-Policy header
- * @returns {string} Modified Content-Security-Policy header
- * @private
- */
-const modifyDirectives = (original, required) => {
-    const directives = original
-        .trim()
-        .split(';')
-        .reduce((acc, directive) => {
-            const text = directive.trim()
-            if (text) {
-                const [name, ...values] = text.split(/ +/)
-                acc[name] = values
-            }
-            return acc
-        }, {})
-
-    // Add missing required CSP directives
-    for (const [name, value] of Object.entries(required)) {
-        if (value === true) {
-            // Boolean directive (required) - overwrite original value
-            directives[name] = []
-        } else if (value === false) {
-            // Boolean directive (disabled) - delete original value
-            delete directives[name]
-        } else {
-            // Regular string[] directive - merge values
-            // Wrapping with `[...new Set(array)]` removes duplicate entries
-            directives[name] = [...new Set([...(directives[name] ?? []), ...value])]
-        }
-    }
-
-    // Re-construct header string
-    return Object.entries(directives)
-        .map(([name, values]) => [name, ...values].join(' '))
-        .join(';')
-}
-
 /**
  * ExpressJS middleware that processes any non-proxy request passing
  * through the Express app.