0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-16 20:26:19 -05:00

fix: remove unsafe-inline and unsafe-eval (#4020)

remove unsafe-inline and unsafe-eval allowance
This commit is contained in:
simeng-li 2023-06-13 18:46:02 +08:00 committed by GitHub
parent 298d29c39f
commit 1b4fbc2df5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 3 deletions

View file

@ -96,7 +96,7 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
directives: {
'upgrade-insecure-requests': null,
imgSrc: ["'self'", 'data:', 'https:'],
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'", ...gtagOrigins],
scriptSrc: ["'self'", ...gtagOrigins],
connectSrc: [
"'self'",
...adminOrigins,

View file

@ -77,7 +77,7 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
directives: {
'upgrade-insecure-requests': null,
imgSrc: ["'self'", 'data:', 'https:'],
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
scriptSrc: ["'self'"],
connectSrc: ["'self'", tenantEndpointOrigin, ...developmentOrigins, ...appInsightsOrigins],
// WARNING: high risk Need to allow self hosted terms of use page loaded in an iframe
frameSrc: ["'self'", 'https:'],
@ -97,7 +97,7 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
directives: {
'upgrade-insecure-requests': null,
imgSrc: ["'self'", 'data:', 'https:'],
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
scriptSrc: ["'self'"],
connectSrc: ["'self'", ...adminOrigins, ...coreOrigins, ...developmentOrigins],
// Allow Main Flow origin loaded in preview iframe
frameSrc: ["'self'", ...adminOrigins, ...coreOrigins],