chore: extend CSP based on audit suggestion

research-software-directory · Sep 5, 2023 · 1f81bd2 · 1f81bd2
1 parent 033a498
commit 1f81bd2
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/frontend/utils/contentSecurityPolicy.test.ts b/frontend/utils/contentSecurityPolicy.test.ts
@@ -20,7 +20,7 @@ beforeEach(() => {
 it('sets content security policy header for development', () => {
   const nonce = setContentSecurityPolicyHeader(res as any)
   const policyName = 'Content-Security-Policy-Report-Only'
-  const policyText = `default-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://*; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://*; base-uri 'none'; object-src 'none'; script-src 'nonce-${nonce}' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline'`
+  const policyText = `default-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://*; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://*; base-uri 'none'; object-src 'none'; script-src 'nonce-${nonce}' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' https:`
 
   expect(mockSetHeader).toBeCalledTimes(1)
   // const calledWith = mockSetHeader
@@ -32,7 +32,7 @@ it('sets content security policy header for production', () => {
   process.env.MATOMO_URL = 'https://mamtomo.com/test-url'
   const nonce = setContentSecurityPolicyHeader(res as any)
   const policyName = 'Content-Security-Policy'
-  const policyText = `default-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://*; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://*; base-uri 'none'; object-src 'none'; script-src 'nonce-${nonce}' 'strict-dynamic' https://mamtomo.com/test-url 'unsafe-inline'`
+  const policyText = `default-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://*; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://*; base-uri 'none'; object-src 'none'; script-src 'nonce-${nonce}' 'strict-dynamic' https://mamtomo.com/test-url 'unsafe-inline' https:`
 
 
   // "default-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://*; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://*; base-uri 'none'; object-src 'none'; script-src 'self' 'unsafe-inline' https://mamtomo.com/test-url 'nonce-b771ce36-a563-4e69-b969-0a758ac0762e'"

diff --git a/frontend/utils/contentSecurityPolicy.ts b/frontend/utils/contentSecurityPolicy.ts
@@ -64,7 +64,7 @@ function devScript() {
 export function nonceContentSecurity() {
   const nonce = crypto.randomUUID()
   // append default, monitoring scripts and dev script
-  let scriptSrc = `script-src 'nonce-${nonce}' 'strict-dynamic'${monitoringScripts()}${devScript()} 'unsafe-inline'`
+  let scriptSrc = `script-src 'nonce-${nonce}' 'strict-dynamic'${monitoringScripts()}${devScript()} 'unsafe-inline' https:`
   // combine shared policies with script policy
   const policy = `${sharedPolicy.replace(/\s{2,}/g, ' ').trim()} ${scriptSrc}`
   // console.log('shaContentSecurity...', policy)