From 03424513ce164b9020ed442781934facf1529c03 Mon Sep 17 00:00:00 2001 From: "Xin Du (Clark)" Date: Thu, 2 Jul 2020 18:37:55 +0100 Subject: [PATCH] refactor(csp): remove unsafe-eval in dev mode (#7659) --- packages/server/src/middleware/nuxt.js | 6 +++--- packages/server/test/middleware/nuxt.test.js | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/server/src/middleware/nuxt.js b/packages/server/src/middleware/nuxt.js index 2efec4b58a..b9431cd841 100644 --- a/packages/server/src/middleware/nuxt.js +++ b/packages/server/src/middleware/nuxt.js @@ -74,7 +74,7 @@ export default ({ options, nuxt, renderRoute, resources }) => async function nux const isReportOnly = !!options.render.csp.reportOnly const cspHeader = isReportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy' - res.setHeader(cspHeader, getCspString({ cspScriptSrcHashes, allowedSources, policies, isDev: options.dev, isReportOnly })) + res.setHeader(cspHeader, getCspString({ cspScriptSrcHashes, allowedSources, policies, isReportOnly })) } // Send response @@ -126,9 +126,9 @@ const defaultPushAssets = (preloadFiles, shouldPush, publicPath, options) => { return links } -const getCspString = ({ cspScriptSrcHashes, allowedSources, policies, isDev, isReportOnly }) => { +const getCspString = ({ cspScriptSrcHashes, allowedSources, policies, isReportOnly }) => { const joinedHashes = cspScriptSrcHashes.join(' ') - const baseCspStr = `script-src 'self'${isDev ? ' \'unsafe-eval\'' : ''} ${joinedHashes}` + const baseCspStr = `script-src 'self' ${joinedHashes}` const policyObjectAvailable = typeof policies === 'object' && policies !== null && !Array.isArray(policies) if (Array.isArray(allowedSources) && allowedSources.length) { diff --git a/packages/server/test/middleware/nuxt.test.js b/packages/server/test/middleware/nuxt.test.js index 7a33e206e5..a8cfa83443 100644 --- a/packages/server/test/middleware/nuxt.test.js +++ b/packages/server/test/middleware/nuxt.test.js @@ -265,7 +265,7 @@ describe('server: nuxtMiddleware', () => { expect(res.setHeader).nthCalledWith( 1, 'Content-Security-Policy-Report-Only', - "script-src 'self' 'unsafe-eval' sha256-hashes /nuxt/*.js /nuxt/images/*" + "script-src 'self' sha256-hashes /nuxt/*.js /nuxt/images/*" ) })