diff --git a/packages/backend-core/src/environment.ts b/packages/backend-core/src/environment.ts index 0a9dd822a0..e71b30e969 100644 --- a/packages/backend-core/src/environment.ts +++ b/packages/backend-core/src/environment.ts @@ -226,6 +226,8 @@ const environment = { MIN_VERSION_WITHOUT_POWER_ROLE: process.env.MIN_VERSION_WITHOUT_POWER_ROLE || "3.0.0", DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY, + // stopgap migration strategy until we can ensure backwards compat without unsafe-inline in CSP + DISABLE_CSP_UNSAFE_INLINE_SCRIPTS: process.env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS, } export function setEnv(newEnvVars: Partial): () => void { diff --git a/packages/backend-core/src/middleware/contentSecurityPolicy.ts b/packages/backend-core/src/middleware/contentSecurityPolicy.ts index d1668d3dd5..e0dfbe6f64 100644 --- a/packages/backend-core/src/middleware/contentSecurityPolicy.ts +++ b/packages/backend-core/src/middleware/contentSecurityPolicy.ts @@ -1,4 +1,5 @@ import crypto from "crypto" +import env from "../environment" const CSP_DIRECTIVES = { "default-src": ["'self'"], @@ -96,6 +97,10 @@ export async function contentSecurityPolicy(ctx: any, next: any) { `'nonce-${nonce}'`, ] + if (!env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS) { + directives["script-src"].push("'unsafe-inline'") + } + ctx.state.nonce = nonce const cspHeader = Object.entries(directives)