mirror of
https://github.com/logto-io/logto.git
synced 2024-12-16 20:26:19 -05:00
fix: remove unsafe-inline and unsafe-eval (#4020)
remove unsafe-inline and unsafe-eval allowance
This commit is contained in:
parent
298d29c39f
commit
1b4fbc2df5
2 changed files with 3 additions and 3 deletions
|
@ -96,7 +96,7 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
|
|||
directives: {
|
||||
'upgrade-insecure-requests': null,
|
||||
imgSrc: ["'self'", 'data:', 'https:'],
|
||||
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'", ...gtagOrigins],
|
||||
scriptSrc: ["'self'", ...gtagOrigins],
|
||||
connectSrc: [
|
||||
"'self'",
|
||||
...adminOrigins,
|
||||
|
|
|
@ -77,7 +77,7 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
|
|||
directives: {
|
||||
'upgrade-insecure-requests': null,
|
||||
imgSrc: ["'self'", 'data:', 'https:'],
|
||||
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
|
||||
scriptSrc: ["'self'"],
|
||||
connectSrc: ["'self'", tenantEndpointOrigin, ...developmentOrigins, ...appInsightsOrigins],
|
||||
// WARNING: high risk Need to allow self hosted terms of use page loaded in an iframe
|
||||
frameSrc: ["'self'", 'https:'],
|
||||
|
@ -97,7 +97,7 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
|
|||
directives: {
|
||||
'upgrade-insecure-requests': null,
|
||||
imgSrc: ["'self'", 'data:', 'https:'],
|
||||
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
|
||||
scriptSrc: ["'self'"],
|
||||
connectSrc: ["'self'", ...adminOrigins, ...coreOrigins, ...developmentOrigins],
|
||||
// Allow Main Flow origin loaded in preview iframe
|
||||
frameSrc: ["'self'", ...adminOrigins, ...coreOrigins],
|
||||
|
|
Loading…
Reference in a new issue