forked from potsda.mn/mobilizon
Remove unsafe-inline from CSP
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
parent
b92a6e5ffc
commit
b196719238
|
@ -51,8 +51,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
|
||||||
# Connect-src is available for any origin (*) because of webfinger query to redirect to content
|
# Connect-src is available for any origin (*) because of webfinger query to redirect to content
|
||||||
@connect_src "connect-src 'self' * blob: "
|
@connect_src "connect-src 'self' * blob: "
|
||||||
# unsafe-eval is because of JS issues with regenerator-runtime
|
# unsafe-eval is because of JS issues with regenerator-runtime
|
||||||
# unsafe-inline will be overriten in prod with sha256 hash
|
@script_src "script-src 'self' 'unsafe-eval' "
|
||||||
@script_src "script-src 'self' 'unsafe-eval' 'unsafe-inline' "
|
|
||||||
@style_src "style-src 'self' "
|
@style_src "style-src 'self' "
|
||||||
@font_src "font-src 'self' "
|
@font_src "font-src 'self' "
|
||||||
|
|
||||||
|
@ -76,7 +75,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
|
||||||
|
|
||||||
script_src =
|
script_src =
|
||||||
if Config.get(:env) == :dev do
|
if Config.get(:env) == :dev do
|
||||||
@script_src
|
[@script_src, "'unsafe-inline' "]
|
||||||
else
|
else
|
||||||
[
|
[
|
||||||
@script_src,
|
@script_src,
|
||||||
|
|
|
@ -73,7 +73,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlugTest do
|
||||||
[csp] = Conn.get_resp_header(conn, "content-security-policy")
|
[csp] = Conn.get_resp_header(conn, "content-security-policy")
|
||||||
|
|
||||||
assert csp =~
|
assert csp =~
|
||||||
~r/script-src 'self' 'unsafe-eval' 'unsafe-inline' 'sha256-[\w+\/=]*' example.com matomo.example.com;/
|
~r/script-src 'self' 'unsafe-eval' 'sha256-[\w+\/=]*' example.com matomo.example.com;/
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue