add unsafe-inline migration strategy
This commit is contained in:
parent
78cf681580
commit
dcecd5c4a9
|
@ -226,6 +226,8 @@ const environment = {
|
||||||
MIN_VERSION_WITHOUT_POWER_ROLE:
|
MIN_VERSION_WITHOUT_POWER_ROLE:
|
||||||
process.env.MIN_VERSION_WITHOUT_POWER_ROLE || "3.0.0",
|
process.env.MIN_VERSION_WITHOUT_POWER_ROLE || "3.0.0",
|
||||||
DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY,
|
DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY,
|
||||||
|
// stopgap migration strategy until we can ensure backwards compat without unsafe-inline in CSP
|
||||||
|
DISABLE_CSP_UNSAFE_INLINE_SCRIPTS: process.env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS,
|
||||||
}
|
}
|
||||||
|
|
||||||
export function setEnv(newEnvVars: Partial<typeof environment>): () => void {
|
export function setEnv(newEnvVars: Partial<typeof environment>): () => void {
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
import crypto from "crypto"
|
import crypto from "crypto"
|
||||||
|
import env from "../environment"
|
||||||
|
|
||||||
const CSP_DIRECTIVES = {
|
const CSP_DIRECTIVES = {
|
||||||
"default-src": ["'self'"],
|
"default-src": ["'self'"],
|
||||||
|
@ -96,6 +97,10 @@ export async function contentSecurityPolicy(ctx: any, next: any) {
|
||||||
`'nonce-${nonce}'`,
|
`'nonce-${nonce}'`,
|
||||||
]
|
]
|
||||||
|
|
||||||
|
if (!env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS) {
|
||||||
|
directives["script-src"].push("'unsafe-inline'")
|
||||||
|
}
|
||||||
|
|
||||||
ctx.state.nonce = nonce
|
ctx.state.nonce = nonce
|
||||||
|
|
||||||
const cspHeader = Object.entries(directives)
|
const cspHeader = Object.entries(directives)
|
||||||
|
|
Loading…
Reference in New Issue