fix(core): allow ui unsafe inline script (#4497)

fix(core): all ui unsafe inline all ui unsafe inline
2024-12-16 20:26:19 -05:00 · 2023-09-15 10:22:13 +08:00 · 2023-09-15 10:22:13 +08:00 · 5556a73b0a
commit 5556a73b0a
parent 926da108e8
1 changed files with 2 additions and 1 deletions
--- a/packages/core/src/middleware/koa-security-headers.ts
+++ b/packages/core/src/middleware/koa-security-headers.ts
@ -80,7 +80,8 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
        // Non-production environment allow "unsafe-eval" and "unsafe-inline" for debugging purpose
        scriptSrc: [
          "'self'",
-          ...conditionalArray(!isProduction && ["'unsafe-eval'", "'unsafe-inline'"]),
+          "'unsafe-inline'",
+          ...conditionalArray(!isProduction && "'unsafe-eval'"),
        ],
        connectSrc: ["'self'", tenantEndpointOrigin, ...developmentOrigins, ...appInsightsOrigins],
        // WARNING: high risk Need to allow self hosted terms of use page loaded in an iframe