task: added flag to remove unsafe inline style src header

Unleash · Jul 10, 2024 · 8aaffd5 · 8aaffd5
1 parent 3fe110f
commit 8aaffd5
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 10 deletions.
diff --git a/src/lib/middleware/secure-headers.ts b/src/lib/middleware/secure-headers.ts
@@ -5,6 +5,20 @@ import { hoursToSeconds } from 'date-fns';
 
 const secureHeaders: (config: IUnleashConfig) => RequestHandler = (config) => {
     if (config.secureHeaders) {
+        const includeUnsafeInline = !config.flagResolver.isEnabled(
+            'removeUnsafeInlineStyleSrc',
+        );
+        const styleSrc = ["'self'"];
+        if (includeUnsafeInline) {
+            styleSrc.push("'unsafe-inline'");
+        }
+        styleSrc.push(
+            'cdn.getunleash.io',
+            'fonts.googleapis.com',
+            'fonts.gstatic.com',
+            'data:',
+            ...config.additionalCspAllowedDomains.styleSrc,
+        );
         const defaultHelmet = helmet({
             hsts: {
                 maxAge: hoursToSeconds(24 * 365 * 2), // 2 non-leap years
@@ -26,15 +40,7 @@ const secureHeaders: (config: IUnleashConfig) => RequestHandler = (config) => {
                         'fonts.gstatic.com',
                         ...config.additionalCspAllowedDomains.fontSrc,
                     ],
-                    styleSrc: [
-                        "'self'",
-                        "'unsafe-inline'",
-                        'cdn.getunleash.io',
-                        'fonts.googleapis.com',
-                        'fonts.gstatic.com',
-                        'data:',
-                        ...config.additionalCspAllowedDomains.styleSrc,
-                    ],
+                    styleSrc,
                     scriptSrc: [
                         "'self'",
                         'cdn.getunleash.io',

diff --git a/src/lib/types/experimental.ts b/src/lib/types/experimental.ts
@@ -65,7 +65,8 @@ export type IFlagKey =
     | 'resourceLimits'
     | 'extendedMetrics'
     | 'cleanApiTokenWhenOrphaned'
-    | 'allowOrphanedWildcardTokens';
+    | 'allowOrphanedWildcardTokens'
+    | 'removeUnsafeInlineStyleSrc';
 
 export type IFlags = Partial<{ [key in IFlagKey]: boolean | Variant }>;
 
@@ -314,6 +315,10 @@ const flags: IFlags = {
         process.env.UNLEASH_EXPERIMENTAL_CLEAN_API_TOKEN_WHEN_ORPHANED,
         false,
     ),
+    removeUnsafeInlineStyleSrc: parseEnvVarBoolean(
+        process.env.UNLEASH_EXPERIMENTAL_REMOVE_UNSAFE_INLINE_STYLE_SRC,
+        false,
+    ),
 };
 
 export const defaultExperimentalOptions: IExperimentalOptions = {