deps: update to wabac.js 2.22.15 for improved CSP hardening (#417)

ikreymer · web-flow · commit 15a2ee493759 · 2025-05-01T18:27:29.000-07:00
bump to 2.3.6
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,6 +1,12 @@
 <!-- cSpell:ignoreRegExp @\w+ -->
 
 ## CHANGES
+
+v2.3.6
+
+- Security: Improved CSP policy again, block loading of iframes outsides of replay (via wabac.js 2.22.15)
+- Tests: Update tests to check CSP behavior
+
 v2.3.5
 
 - Fidelity: Update to wabac.js 2.22.14, various fidelity improvements
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "replaywebpage",
   "productName": "ReplayWeb.page",
-  "version": "2.3.5",
+  "version": "2.3.6",
   "description": "Serverless Web Archive Replay",
   "repository": "https://github.com/webrecorder/replayweb.page",
   "homepage": "https://replayweb.page/",
@@ -22,7 +22,7 @@
   "dependencies": {
     "@fortawesome/fontawesome-free": "^5.15.4",
     "@shoelace-style/shoelace": "~2.15.1",
-    "@webrecorder/wabac": "^2.22.14",
+    "@webrecorder/wabac": "^2.22.15",
     "bulma": "^0.9.3",
     "electron-log": "^4.4.1",
     "electron-updater": "^6.3.9",
diff --git a/tests/embeds.spec.js b/tests/embeds.spec.js
@@ -72,3 +72,55 @@ test("require subdomain iframe", async ({ page }) => {
     "Sorry, due to security settings, this ReplayWeb.page embed only be viewed within a subdomain iframe.",
   );
 });
+
+test("csp blocking in place", async ({ page }) => {
+  await page.goto("http://localhost:9990/embed.html");
+
+  const frame = page
+    .locator("replay-web-page")
+    .frameLocator("iframe")
+    .locator("replay-app-main wr-item wr-coll-replay")
+    .frameLocator("iframe")
+    .locator(":root");
+
+  const didNotFetch = await frame.evaluate(async () => {
+    const blocked = async (win, url) => {
+      try {
+        const resp = await win.fetch(url);
+        if (!resp.ok) {
+          return 1;
+        }
+        return 0;
+      } catch (e) {
+        return 1;
+      }
+    };
+
+    let block = 0;
+
+    // blocks (1 - 3)
+    block += await blocked(window, "https://webrecorder.net/");
+    block += await blocked(window, "http://localhost:9990/ui.js");
+    block += await blocked(window, "http://localhost:9990/sw.js");
+
+    const iframe = document.createElement("iframe");
+    iframe.src = "http://localhost:9990/static/wombat.js";
+    document.body.appendChild(iframe);
+
+    await new Promise((resolve) => setTimeout(resolve, 1000));
+
+    // (4) still blocked from loading due to csp
+    block += await blocked(iframe.contentWindow, "https://webrecorder.net/");
+
+    // (5-6) blocked by csp policy, even though local
+    block += await blocked(iframe.contentWindow, "http://localhost:9990/sw.js");
+    block += await blocked(
+      iframe.contentWindow,
+      "http://localhost:9990/static/wombat.js",
+    );
+
+    return block;
+  });
+
+  expect(didNotFetch).toBe(6);
+});
diff --git a/yarn.lock b/yarn.lock
@@ -1028,10 +1028,10 @@
   resolved "https://registry.yarnpkg.com/@webpack-cli/serve/-/serve-2.0.5.tgz#325db42395cd49fe6c14057f9a900e427df8810e"
   integrity sha512-lqaoKnRYBdo1UgDX8uF24AfGMifWK19TxPmM5FHc2vAGxrJ/qtyUyFBWoY1tISZdelsQ5fBcOusifo5o5wSJxQ==
 
-"@webrecorder/wabac@^2.22.14":
-  version "2.22.14"
-  resolved "https://registry.yarnpkg.com/@webrecorder/wabac/-/wabac-2.22.14.tgz#6f7503c2f06d126a1fb1ff754ce081836602e202"
-  integrity sha512-dcomAtul8dML/fJZjQNqRCWVLjirmuJPqPDNFv/7hFsm9SUHt9LdbXytQqndCWqCPvu6RVA4lfdXSA4O8erClQ==
+"@webrecorder/wabac@^2.22.15":
+  version "2.22.15"
+  resolved "https://registry.yarnpkg.com/@webrecorder/wabac/-/wabac-2.22.15.tgz#2b5c31cf16fdd2055e7bae331fa26488359df9cd"
+  integrity sha512-GJvFNCnDdvpij1mBNRRpT4zfr66W5td4NpNKEPmBtEwTPdlRyNlU96ZSL3NRVtzvg7RG6LpI6Oa86lKd6EUpBA==
   dependencies:
     "@peculiar/asn1-ecc" "^2.3.4"
     "@peculiar/asn1-schema" "^2.3.3"
