feat: CSP frontend alert screen (#797)

* Adds csp error screen

* build files

* fixes firefox execution order.

* make sure that js bundle script only gets executed only after the html parsing is completed

* bump v16.7.4

* fixes styling issues on safari

Author: Chakravarthy7102

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [16.7.4] - 2024-03-01
+
+-   Adds a user friendly error screen that provides helpful information regarding Content Security Policy (CSP) issues..
+
 ## [16.7.3] - 2024-02-26
 
 -   Fixes dashboard URI path. Now it returns the complete user given path instead of just the normalized connectionURI domain.

lib/build/recipe/dashboard/api/implementation.js

@@ -54,11 +54,25 @@ function getAPIImplementation() {
                 // Only enable search if CDI version is 2.20 or above
                 isSearchEnabled = true;
             }
+            const htmlContent = `
+            '<div class="csp-screen-container">' +
+            '<div>' +
+            '<p>It looks like you have encountered a <u>Content Security Policy (CSP) </u> violation while trying to load a resource. Here is the breakdown of the details:</p>' +
+            '<span class="csp-screen-point"><strong>Blocked URI:</strong> ' + event.blockedURI + '<br></span>' +
+            '<span class="csp-screen-point"><strong>Violated Directive:</strong> ' + event.violatedDirective + '<br></span>' +
+            '<span class="csp-screen-point"><strong>Original Policy:</strong> ' + event.originalPolicy + '<br></span>' +
+            '<p>To resolve this issue, you will need to update your CSP configuration to allow the blocked URI.</p>' +
+            '</div>' +
+            '</div>'`;
             return `
             <html>
                 <head>
                     <meta name="viewport" content="width=device-width, initial-scale=1.0">
                     <script>
+                        window.addEventListener('securitypolicyviolation', function (event) {
+                            const root = document.getElementById("root");
+                            root.innerHTML = ${htmlContent}
+                        });
                         window.staticBasePath = "${bundleDomain}/static"
                         window.dashboardAppPath = "${input.options.appInfo.apiBasePath
                             .appendPath(new normalisedURLPath_1.default(constants_1.DASHBOARD_API))
@@ -67,7 +81,25 @@ function getAPIImplementation() {
                         window.authMode = "${authMode}"
                         window.isSearchEnabled = "${isSearchEnabled}"
                     </script>
-                    <script defer src="${bundleDomain}/static/js/bundle.js"></script></head>
+                    
+                    <style>
+                        .csp-screen-container{
+                            display: flex;
+                            height: 100vh;
+                            align-items: center;
+                            justify-content: center;
+                            max-width: 480px;
+                            margin: auto;
+
+                            font-size: 16px;
+                        }
+                        .csp-screen-point{
+                            display: inline-block;
+                            margin: 4px 0px;
+                        }
+                    </style>
+
+                    <script defer src="${bundleDomain}/static/js/bundle.js"></script>
                     <link href="${bundleDomain}/static/css/main.css" rel="stylesheet" type="text/css">
                     <link rel="icon" type="image/x-icon" href="${bundleDomain}/static/media/favicon.ico">
                 </head>

lib/build/version.d.ts

@@ -54,11 +54,26 @@ export default function getAPIImplementation(): APIInterface {
                 isSearchEnabled = true;
             }
 
+            const htmlContent = `
+            '<div class="csp-screen-container">' +
+            '<div>' +
+            '<p>It looks like you have encountered a <u>Content Security Policy (CSP) </u> violation while trying to load a resource. Here is the breakdown of the details:</p>' +
+            '<span class="csp-screen-point"><strong>Blocked URI:</strong> ' + event.blockedURI + '<br></span>' +
+            '<span class="csp-screen-point"><strong>Violated Directive:</strong> ' + event.violatedDirective + '<br></span>' +
+            '<span class="csp-screen-point"><strong>Original Policy:</strong> ' + event.originalPolicy + '<br></span>' +
+            '<p>To resolve this issue, you will need to update your CSP configuration to allow the blocked URI.</p>' +
+            '</div>' +
+            '</div>'`;
+
             return `
             <html>
                 <head>
                     <meta name="viewport" content="width=device-width, initial-scale=1.0">
                     <script>
+                        window.addEventListener('securitypolicyviolation', function (event) {
+                            const root = document.getElementById("root");
+                            root.innerHTML = ${htmlContent}
+                        });
                         window.staticBasePath = "${bundleDomain}/static"
                         window.dashboardAppPath = "${input.options.appInfo.apiBasePath
                             .appendPath(new NormalisedURLPath(DASHBOARD_API))
@@ -67,7 +82,25 @@ export default function getAPIImplementation(): APIInterface {
                         window.authMode = "${authMode}"
                         window.isSearchEnabled = "${isSearchEnabled}"
                     </script>
-                    <script defer src="${bundleDomain}/static/js/bundle.js"></script></head>
+                    
+                    <style>
+                        .csp-screen-container{
+                            display: flex;
+                            height: 100vh;
+                            align-items: center;
+                            justify-content: center;
+                            max-width: 480px;
+                            margin: auto;
+
+                            font-size: 16px;
+                        }
+                        .csp-screen-point{
+                            display: inline-block;
+                            margin: 4px 0px;
+                        }
+                    </style>
+
+                    <script defer src="${bundleDomain}/static/js/bundle.js"></script>
                     <link href="${bundleDomain}/static/css/main.css" rel="stylesheet" type="text/css">
                     <link rel="icon" type="image/x-icon" href="${bundleDomain}/static/media/favicon.ico">
                 </head>

lib/build/version.js

@@ -12,7 +12,7 @@
  * License for the specific language governing permissions and limitations
  * under the License.
  */
-export const version = "16.7.3";
+export const version = "16.7.4";
 
 export const cdiSupported = ["4.0"];
 

lib/ts/recipe/dashboard/api/implementation.ts

@@ -1,6 +1,6 @@
 {
     "name": "supertokens-node",
-    "version": "16.7.3",
+    "version": "16.7.4",
     "description": "NodeJS driver for SuperTokens core",
     "main": "index.js",
     "scripts": {