Merge branch 'remove-unsafe-inline' into 'master'

Remove unsafe-inline from CSP

See merge request framasoft/mobilizon!974
This commit is contained in:
Thomas Citharel 2021-07-02 08:20:02 +00:00
commit ed0408d3bf
2 changed files with 3 additions and 4 deletions

View file

@ -51,8 +51,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
# Connect-src is available for any origin (*) because of webfinger query to redirect to content # Connect-src is available for any origin (*) because of webfinger query to redirect to content
@connect_src "connect-src 'self' * blob: " @connect_src "connect-src 'self' * blob: "
# unsafe-eval is because of JS issues with regenerator-runtime # unsafe-eval is because of JS issues with regenerator-runtime
# unsafe-inline will be overriten in prod with sha256 hash @script_src "script-src 'self' 'unsafe-eval' "
@script_src "script-src 'self' 'unsafe-eval' 'unsafe-inline' "
@style_src "style-src 'self' " @style_src "style-src 'self' "
@font_src "font-src 'self' " @font_src "font-src 'self' "
@ -76,7 +75,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
script_src = script_src =
if Config.get(:env) == :dev do if Config.get(:env) == :dev do
@script_src [@script_src, "'unsafe-inline' "]
else else
[ [
@script_src, @script_src,

View file

@ -73,7 +73,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlugTest do
[csp] = Conn.get_resp_header(conn, "content-security-policy") [csp] = Conn.get_resp_header(conn, "content-security-policy")
assert csp =~ assert csp =~
~r/script-src 'self' 'unsafe-eval' 'unsafe-inline' 'sha256-[\w+\/=]*' example.com matomo.example.com;/ ~r/script-src 'self' 'unsafe-eval' 'sha256-[\w+\/=]*' example.com matomo.example.com;/
end end
end end