From 32e4c64bb40edf6fade91b54e82824bbd0119d91 Mon Sep 17 00:00:00 2001
From: Timmy Willison <timmywil@users.noreply.github.com>
Date: Fri, 27 Sep 2024 19:58:20 -0400
Subject: [PATCH] miscweb:grunt: add necessary exceptions to CSP headers

**miscweb**

- script-src: add 'wasm-unsafe-eval' for WebAssembly-driven search on
  bugs.jquery.com, bugs.jqueryui.com, and plugins.jquery.com
- img-src: allow secure.gravatar.com images on plugins.jquery.com
- media-src: allow content.jquery.com media on podcast.jquery.com

**grunt**

- script-src: add 'unsafe-eval' for the search functionality on gruntjs.com/plugins
- the datatables plugin uses jQuery's eval. While later versions
  of jQuery switched to using script tags for eval, it would
  still require an  exception. The best solution
  would be to re-implement search, but that will take time.
---
 .../templates/contentorigin/site.nginx.erb        | 10 +++++++++-
 .../profile/templates/gruntjscom/site.nginx.erb   | 12 +++++++++++-
 modules/profile/templates/miscweb/site.nginx.erb  | 15 ++++++++++++++-
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/modules/profile/templates/contentorigin/site.nginx.erb b/modules/profile/templates/contentorigin/site.nginx.erb
index 1cc80b7..4fa95f9 100644
--- a/modules/profile/templates/contentorigin/site.nginx.erb
+++ b/modules/profile/templates/contentorigin/site.nginx.erb
@@ -15,7 +15,15 @@ server {
 
   # Add Content Security Policy headers
   add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
-  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
+  add_header Content-Security-Policy-Report-Only "
+    default-src 'self';
+    script-src 'self' code.jquery.com;
+    connect-src 'self';
+    img-src 'self';
+    style-src 'self';
+    report-uri https://csp-report-api.openjs-foundation.workers.dev/;
+    report-to csp-endpoint
+  ";
 
   location / {
     root /srv/www/content.jquery.com;
diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb
index 626f65f..4ffc8a4 100644
--- a/modules/profile/templates/gruntjscom/site.nginx.erb
+++ b/modules/profile/templates/gruntjscom/site.nginx.erb
@@ -19,7 +19,17 @@ server {
 
     # Add Content Security Policy headers
     add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
-    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint;" always;
+    # script-src: add 'unsafe-eval' for the search functionality on gruntjs.com/plugins
+    # Search will need to be reimplemented to remove this exception.
+    add_header Content-Security-Policy-Report-Only "
+      default-src 'self';
+      script-src 'self' 'unsafe-eval';
+      connect-src 'self';
+      img-src 'self';
+      style-src 'self';
+      report-uri https://csp-report-api.openjs-foundation.workers.dev/;
+      report-to csp-endpoint
+    " always;
   }
 
   location /.well-known/acme-challenge {
diff --git a/modules/profile/templates/miscweb/site.nginx.erb b/modules/profile/templates/miscweb/site.nginx.erb
index 41e5635..e7eb640 100644
--- a/modules/profile/templates/miscweb/site.nginx.erb
+++ b/modules/profile/templates/miscweb/site.nginx.erb
@@ -20,7 +20,20 @@ server {
 
   # Add Content Security Policy headers
   add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
-  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
+  # script-src: add 'wasm-unsafe-eval' for WebAssembly-driven search on
+  #   bugs.jquery.com, bugs.jqueryui.com, and plugins.jquery.com
+  # img-src: allow secure.gravatar.com images on plugins.jquery.com
+  # media-src: allow content.jquery.com media on podcast.jquery.com
+  add_header Content-Security-Policy-Report-Only "
+    default-src 'self';
+    script-src 'self' 'wasm-unsafe-eval' code.jquery.com;
+    connect-src 'self';
+    img-src 'self' secure.gravatar.com;
+    style-src 'self';
+    media-src 'self' content.jquery.com;
+    report-uri https://csp-report-api.openjs-foundation.workers.dev/;
+    report-to csp-endpoint
+  ";
 
 <%- if @site['allow_php'] -%>
   index index.php index.html;