From 9525cf8682c7ef6fb899d3c9fd5a2901ff851223 Mon Sep 17 00:00:00 2001 From: Martin McKeaveney Date: Sun, 10 Nov 2024 13:11:49 +0000 Subject: [PATCH] make directives immutable --- .../backend-core/src/middleware/contentSecurityPolicy.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/backend-core/src/middleware/contentSecurityPolicy.ts b/packages/backend-core/src/middleware/contentSecurityPolicy.ts index 008c7ddc83..f06fc567a4 100644 --- a/packages/backend-core/src/middleware/contentSecurityPolicy.ts +++ b/packages/backend-core/src/middleware/contentSecurityPolicy.ts @@ -90,11 +90,12 @@ export async function contentSecurityPolicy(ctx: any, next: any) { try { const nonce = crypto.randomBytes(16).toString("base64") - CSP_DIRECTIVES["script-src"].push(`'nonce-${nonce}'`) + const directives = { ...CSP_DIRECTIVES } + directives["script-src"] = [...CSP_DIRECTIVES["script-src"], `'nonce-${nonce}'`] ctx.state.nonce = nonce - const cspHeader = Object.entries(CSP_DIRECTIVES) + const cspHeader = Object.entries(directives) .map(([key, sources]) => `${key} ${sources.join(" ")}`) .join("; ") ctx.set("Content-Security-Policy", cspHeader)