From 1b4fbc2df5b29ad7e22af2b338356a22fdc726b0 Mon Sep 17 00:00:00 2001 From: simeng-li Date: Tue, 13 Jun 2023 18:46:02 +0800 Subject: [PATCH] fix: remove unsafe-inline and unsafe-eval (#4020) remove unsafe-inline and unsafe-eval allowance --- packages/cloud/src/middleware/with-security-headers.ts | 2 +- packages/core/src/middleware/koa-security-headers.ts | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/cloud/src/middleware/with-security-headers.ts b/packages/cloud/src/middleware/with-security-headers.ts index 816873547..500155d8d 100644 --- a/packages/cloud/src/middleware/with-security-headers.ts +++ b/packages/cloud/src/middleware/with-security-headers.ts @@ -96,7 +96,7 @@ export default function withSecurityHeaders directives: { 'upgrade-insecure-requests': null, imgSrc: ["'self'", 'data:', 'https:'], - scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'", ...gtagOrigins], + scriptSrc: ["'self'", ...gtagOrigins], connectSrc: [ "'self'", ...adminOrigins, diff --git a/packages/core/src/middleware/koa-security-headers.ts b/packages/core/src/middleware/koa-security-headers.ts index 5884ecd66..71f48b444 100644 --- a/packages/core/src/middleware/koa-security-headers.ts +++ b/packages/core/src/middleware/koa-security-headers.ts @@ -77,7 +77,7 @@ export default function koaSecurityHeaders( directives: { 'upgrade-insecure-requests': null, imgSrc: ["'self'", 'data:', 'https:'], - scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"], + scriptSrc: ["'self'"], connectSrc: ["'self'", tenantEndpointOrigin, ...developmentOrigins, ...appInsightsOrigins], // WARNING: high risk Need to allow self hosted terms of use page loaded in an iframe frameSrc: ["'self'", 'https:'], @@ -97,7 +97,7 @@ export default function koaSecurityHeaders( directives: { 'upgrade-insecure-requests': null, imgSrc: ["'self'", 'data:', 'https:'], - scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"], + scriptSrc: ["'self'"], connectSrc: ["'self'", ...adminOrigins, ...coreOrigins, ...developmentOrigins], // Allow Main Flow origin loaded in preview iframe frameSrc: ["'self'", ...adminOrigins, ...coreOrigins],