add unsafe-inline migration strategy

This commit is contained in:
Martin McKeaveney 2024-11-15 15:02:34 +00:00
parent 78cf681580
commit dcecd5c4a9
2 changed files with 7 additions and 0 deletions

View File

@ -226,6 +226,8 @@ const environment = {
MIN_VERSION_WITHOUT_POWER_ROLE: MIN_VERSION_WITHOUT_POWER_ROLE:
process.env.MIN_VERSION_WITHOUT_POWER_ROLE || "3.0.0", process.env.MIN_VERSION_WITHOUT_POWER_ROLE || "3.0.0",
DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY, DISABLE_CONTENT_SECURITY_POLICY: process.env.DISABLE_CONTENT_SECURITY_POLICY,
// stopgap migration strategy until we can ensure backwards compat without unsafe-inline in CSP
DISABLE_CSP_UNSAFE_INLINE_SCRIPTS: process.env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS,
} }
export function setEnv(newEnvVars: Partial<typeof environment>): () => void { export function setEnv(newEnvVars: Partial<typeof environment>): () => void {

View File

@ -1,4 +1,5 @@
import crypto from "crypto" import crypto from "crypto"
import env from "../environment"
const CSP_DIRECTIVES = { const CSP_DIRECTIVES = {
"default-src": ["'self'"], "default-src": ["'self'"],
@ -96,6 +97,10 @@ export async function contentSecurityPolicy(ctx: any, next: any) {
`'nonce-${nonce}'`, `'nonce-${nonce}'`,
] ]
if (!env.DISABLE_CSP_UNSAFE_INLINE_SCRIPTS) {
directives["script-src"].push("'unsafe-inline'")
}
ctx.state.nonce = nonce ctx.state.nonce = nonce
const cspHeader = Object.entries(directives) const cspHeader = Object.entries(directives)