updates for release v1.0.7

Author: knihit

source/infrastructure/lib/api/rest-endpoint.ts

@@ -253,7 +253,7 @@ export class RestEndpoint extends Construct {
         // case creation
         caseResource.addCorsPreflight({
             allowOrigins: ['*'],
-            allowHeaders: ['*'],
+            allowHeaders: ['Content-Type, Access-Control-Allow-Headers, X-Requested-With, Authorization'],
             allowMethods: ['POST']
         });
         caseResource.addMethod('POST', postRequestLambdaIntegration, {
@@ -293,7 +293,7 @@ export class RestEndpoint extends Construct {
         const caseCaseIdResource = caseResource.addResource('{caseId}');
         caseCaseIdResource.addCorsPreflight({
             allowOrigins: ['*'],
-            allowHeaders: ['*'],
+            allowHeaders: ['Content-Type, Access-Control-Allow-Headers, X-Requested-With, Authorization'],
             allowMethods: ['GET']
         });
 
@@ -326,7 +326,7 @@ export class RestEndpoint extends Construct {
         const casesResource = apiRoot.addResource('cases');
         casesResource.addCorsPreflight({
             allowOrigins: ['*'],
-            allowHeaders: ['*'],
+            allowHeaders: ['Content-Type, Access-Control-Allow-Headers, X-Requested-With, Authorization'],
             allowMethods: ['GET']
         });
         casesResource.addMethod('GET', getRequestLambdaIntegration, {
@@ -352,7 +352,7 @@ export class RestEndpoint extends Construct {
         // Upload a document to a case
         documentResource.addCorsPreflight({
             allowOrigins: ['*'],
-            allowHeaders: ['*'],
+            allowHeaders: ['Content-Type, Access-Control-Allow-Headers, X-Requested-With, Authorization'],
             allowMethods: ['POST']
         });
         documentResource.addMethod('POST', postRequestLambdaIntegration, {
@@ -383,7 +383,7 @@ export class RestEndpoint extends Construct {
         const documentCaseIdDocIdResource = documentResource.addResource('{caseId}').addResource('{documentId}');
         documentCaseIdDocIdResource.addCorsPreflight({
             allowOrigins: ['*'],
-            allowHeaders: ['*'],
+            allowHeaders: ['Content-Type, Access-Control-Allow-Headers, X-Requested-With, Authorization'],
             allowMethods: ['GET']
         });
         documentCaseIdDocIdResource.addMethod('GET', getRequestLambdaIntegration, {
@@ -415,7 +415,10 @@ export class RestEndpoint extends Construct {
         const documentDownloadResource = documentResource.addResource('download');
         documentDownloadResource.addCorsPreflight({
             allowOrigins: ['*'],
-            allowHeaders: ['*'],
+            allowHeaders: [
+                'Content-Type, Access-Control-Allow-Headers, X-Requested-With, Authorization',
+                'Access-Control-Allow-Origin'
+            ],
             allowMethods: ['GET']
         });
         documentDownloadResource.addMethod('GET', getDocumentLambdaIntegration, {
@@ -450,7 +453,10 @@ export class RestEndpoint extends Construct {
             .addResource('{documentId}');
         inferencesResource.addCorsPreflight({
             allowOrigins: ['*'],
-            allowHeaders: ['*'],
+            allowHeaders: [
+                'Content-Type, Access-Control-Allow-Headers, X-Requested-With, Authorization',
+                'Access-Control-Allow-Origin'
+            ],
             allowMethods: ['GET']
         });
         inferencesResource.addMethod('GET', getInferenceLambdaIntegration, {
@@ -466,7 +472,10 @@ export class RestEndpoint extends Construct {
         const inferenceResource = inferencesResource.addResource('{inferenceType}');
         inferenceResource.addCorsPreflight({
             allowOrigins: ['*'],
-            allowHeaders: ['*'],
+            allowHeaders: [
+                'Content-Type, Access-Control-Allow-Headers, X-Requested-With, Authorization',
+                'Access-Control-Allow-Origin'
+            ],
             allowMethods: ['GET']
         });
         inferenceResource.addMethod('GET', getInferenceLambdaIntegration, {
@@ -487,7 +496,10 @@ export class RestEndpoint extends Construct {
         const redactResource = apiRoot.addResource('redact').addResource('{caseId}').addResource('{documentId}');
         redactResource.addCorsPreflight({
             allowOrigins: ['*'],
-            allowHeaders: ['*'],
+            allowHeaders: [
+                'Content-Type, Access-Control-Allow-Headers, X-Requested-With, Authorization',
+                'Access-Control-Allow-Origin'
+            ],
             allowMethods: ['POST']
         });
         redactResource.addMethod('POST', postRedactLambdaIntegration, {

source/infrastructure/lib/s3web/static-site.ts

@@ -81,6 +81,19 @@ export class StaticWebsite extends Construct {
             iam.Role.fromRoleArn(this, 'BucketPolicyLambdaRole', props.customResourceRoleArn)
         );
 
+        const cspResponseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'CSPResponseHeadersPolicy', {
+            responseHeadersPolicyName: `eDU-CSPResponseHeadersPolicy-${cdk.Aws.STACK_NAME}-${cdk.Aws.REGION}`,
+            comment: 'CSP Response Headers Policy',
+            securityHeadersBehavior: {
+                contentSecurityPolicy: {
+                    contentSecurityPolicy:
+                        "default-src 'self' data: https://*.amazonaws.com; img-src 'self' data: https://*.cloudfront.net https://*.amazonaws.com; script-src 'self' http://*.cloudfront.net https://*.amazonaws.com; style-src 'self' 'unsafe-inline' https://*.amazonaws.com; object-src 'self' https://*.amazonaws.com; worker-src 'self' blob:",
+                    override: true
+                },
+                frameOptions: { frameOption: cloudfront.HeadersFrameOption.DENY, override: true }
+            }
+        });
+
         const cloudfrontToS3 = new CloudFrontToS3(this, 'UI', {
             existingBucketObj: this.webS3Bucket,
             cloudFrontDistributionProps: {
@@ -91,7 +104,10 @@ export class StaticWebsite extends Construct {
                 ],
                 logFilePrefix: 'cloudfront/',
                 minimumProtocolVersion: cloudfront.SecurityPolicyProtocol.TLS_V1_2_2019,
-                defaultRootObject: 'login.html'
+                defaultRootObject: 'login.html',
+                defaultBehavior: {
+                    responseHeadersPolicy: cspResponseHeadersPolicy
+                }
             }
         });
 

source/infrastructure/lib/search/indexed-storage.ts

@@ -128,7 +128,10 @@ export class IndexedStorage extends Construct {
             .addResource('{query}');
         kendraSearchResource.addCorsPreflight({
             allowOrigins: ['*'],
-            allowHeaders: ['*'],
+            allowHeaders: [
+                'Content-Type, Access-Control-Allow-Headers, X-Requested-With, Authorization',
+                'Access-Control-Allow-Origin'
+            ],
             allowMethods: ['GET']
         });
 

source/lambda/layers/common-node-lib/response-formatter/error-response.js

@@ -33,7 +33,8 @@ function formatError(error) {
         'statusCode': error.statusCode,
         'headers': {
             'Content-Type': 'text/plain',
-            'x-amzn-ErrorType': error.code
+            'x-amzn-ErrorType': error.code,
+            'Access-Control-Allow-Origin': '*' // NOSONAR - javascript:S5122 - Domain not known at this point.
         },
         'isBase64Encoded': false,
         'body': error.code + ': ' + error.message

source/lambda/layers/common-node-lib/test/response-formatter/error-response.spec.js

@@ -26,7 +26,8 @@ describe('When formatting error responses as HTTP responses', () => {
             'statusCode': '400',
             'headers': {
                 'Content-Type': 'text/plain',
-                'x-amzn-ErrorType': 'CustomExecutionError'
+                'x-amzn-ErrorType': 'CustomExecutionError',
+                'Access-Control-Allow-Origin': '*' // NOSONAR - javascript:S5122 - Domain not known at this point.
             },
             'isBase64Encoded': false,
             'body': 'CustomExecutionError: Test error'
@@ -42,7 +43,8 @@ describe('When formatting error responses as HTTP responses', () => {
             'statusCode': '501',
             'headers': {
                 'Content-Type': 'text/plain',
-                'x-amzn-ErrorType': 'TestCustomError'
+                'x-amzn-ErrorType': 'TestCustomError',
+                'Access-Control-Allow-Origin': '*' // NOSONAR - javascript:S5122 - Domain not known at this point.
             },
             'isBase64Encoded': false,
             'body': 'TestCustomError: Test error'
@@ -55,7 +57,8 @@ describe('When formatting error responses as HTTP responses', () => {
             'statusCode': '400',
             'headers': {
                 'Content-Type': 'text/plain',
-                'x-amzn-ErrorType': 'CustomExecutionError'
+                'x-amzn-ErrorType': 'CustomExecutionError',
+                'Access-Control-Allow-Origin': '*' // NOSONAR - javascript:S5122 - Domain not known at this point.
             },
             'isBase64Encoded': false,
             'body': 'CustomExecutionError: Test error'

source/ui/public/index.html

@@ -11,9 +11,9 @@
   <link rel="icon" href="%PUBLIC_URL%/favicon.png" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
   <meta name="theme-color" content="#000000" />
-  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; base-uri 'none'; upgrade-insecure-requests; img-src 'self' data: https://*.amazonaws.com; script-src 'self';
-    style-src 'self' 'unsafe-inline' https:; object-src 'none'; font-src 'self' https: data:;
-    manifest-src 'self'; connect-src 'self' https://*.amazonaws.com" />
+  <meta http-equiv="default-src 'self'; base-uri 'none'; upgrade-insecure-requests; img-src 'self' data: https://*.amazonaws.com; script-src 'self' 'unsafe-inline';
+  style-src 'self' 'unsafe-inline' https:; object-src 'none'; font-src 'self' https: data:;
+  manifest-src 'self'; connect-src 'self' https://*.amazonaws.com" />
   <title>Enhanced Document Understanding on AWS</title>
 </head>