refactor(core): remove the reportOnly flag (#3849)

* refactor(core): remove the reportOnly flag

remove all the reportOnly flag of the CSP security headers. Bring up strict policy check

* chore: add changeset

add changeset

.changeset/cool-oranges-cheer.md

@@ -0,0 +1,8 @@
+---
+"@logto/cloud": patch
+"@logto/core": patch
+---
+
+### Enable strict CSP policy check header
+
+This change removes the report only flag from CSP security header settings, which will enables the strict CSP policy check for all requests.

packages/cloud/src/middleware/with-security-headers.ts

@@ -86,8 +86,6 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
         frameguard: false,
         contentSecurityPolicy: {
           useDefaults: true,
-          // Temporary set to report only to avoid breaking the app
-          reportOnly: true,
           directives: {
             'upgrade-insecure-requests': null,
             imgSrc: ["'self'", 'data:', 'https:'],

packages/core/src/middleware/koa-security-headers.ts

@@ -76,8 +76,6 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
     },
     contentSecurityPolicy: {
       useDefaults: true,
-      // Temporary set to report only to avoid breaking the app
-      reportOnly: true,
       directives: {
         'upgrade-insecure-requests': null,
         imgSrc: ["'self'", 'data:', 'https:'],
@@ -103,8 +101,6 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
     frameguard: false,
     contentSecurityPolicy: {
       useDefaults: true,
-      // Temporary set to report only to avoid breaking the app
-      reportOnly: true,
       directives: {
         'upgrade-insecure-requests': null,
         imgSrc: ["'self'", 'data:', 'https:'],