From b1967192389ea932b12668c38691198adc6f57be Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Thu, 1 Jul 2021 18:30:34 +0200 Subject: [PATCH] Remove unsafe-inline from CSP Signed-off-by: Thomas Citharel --- lib/web/plugs/http_security_plug.ex | 5 ++--- test/web/plugs/http_security_plug_test.exs | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/web/plugs/http_security_plug.ex b/lib/web/plugs/http_security_plug.ex index a489fdfbe..00f0eede8 100644 --- a/lib/web/plugs/http_security_plug.ex +++ b/lib/web/plugs/http_security_plug.ex @@ -51,8 +51,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do # Connect-src is available for any origin (*) because of webfinger query to redirect to content @connect_src "connect-src 'self' * blob: " # unsafe-eval is because of JS issues with regenerator-runtime - # unsafe-inline will be overriten in prod with sha256 hash - @script_src "script-src 'self' 'unsafe-eval' 'unsafe-inline' " + @script_src "script-src 'self' 'unsafe-eval' " @style_src "style-src 'self' " @font_src "font-src 'self' " @@ -76,7 +75,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do script_src = if Config.get(:env) == :dev do - @script_src + [@script_src, "'unsafe-inline' "] else [ @script_src, diff --git a/test/web/plugs/http_security_plug_test.exs b/test/web/plugs/http_security_plug_test.exs index 58b6e1ea4..a7d533a50 100644 --- a/test/web/plugs/http_security_plug_test.exs +++ b/test/web/plugs/http_security_plug_test.exs @@ -73,7 +73,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlugTest do [csp] = Conn.get_resp_header(conn, "content-security-policy") assert csp =~ - ~r/script-src 'self' 'unsafe-eval' 'unsafe-inline' 'sha256-[\w+\/=]*' example.com matomo.example.com;/ + ~r/script-src 'self' 'unsafe-eval' 'sha256-[\w+\/=]*' example.com matomo.example.com;/ end end