From dcecd5c4a98a2133189fbcb9185397b4dc268f52 Mon Sep 17 00:00:00 2001 From: Martin McKeaveney Date: Fri, 15 Nov 2024 15:02:34 +0000 Subject: [PATCH] add unsafe-inline migration strategy --- packages/backend-core/src/environment.ts | 2 ++ .../backend-core/src/middleware/contentSecurityPolicy.ts | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/packages/backend-core/src/environment.ts b/packages/backend-core/src/environment.ts index 0a9dd822a0..e71b30e969 100644 --- a/packages/backend-core/src/environment.ts +++ b/packages/backend-core/src/environment.ts @@ -226,6 +226,8 @@ const environment = { MIN_VERSION_WITHOUT_POWER_ROLE: process.env.MIN_VERSION_WITHOUT_POWER_ROLE || "3.0.0", DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY, + // stopgap migration strategy until we can ensure backwards compat without unsafe-inline in CSP + DISABLE_CSP_UNSAFE_INLINE_SCRIPTS: process.env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS, } export function setEnv(newEnvVars: Partial): () => void { diff --git a/packages/backend-core/src/middleware/contentSecurityPolicy.ts b/packages/backend-core/src/middleware/contentSecurityPolicy.ts index d1668d3dd5..e0dfbe6f64 100644 --- a/packages/backend-core/src/middleware/contentSecurityPolicy.ts +++ b/packages/backend-core/src/middleware/contentSecurityPolicy.ts @@ -1,4 +1,5 @@ import crypto from "crypto" +import env from "../environment" const CSP_DIRECTIVES = { "default-src": ["'self'"], @@ -96,6 +97,10 @@ export async function contentSecurityPolicy(ctx: any, next: any) { `'nonce-${nonce}'`, ] + if (!env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS) { + directives["script-src"].push("'unsafe-inline'") + } + ctx.state.nonce = nonce const cspHeader = Object.entries(directives)