mirror of
https://github.com/nuxt/nuxt.git
synced 2024-11-27 08:02:01 +00:00
refactor(csp): remove unsafe-eval in dev mode (#7659)
This commit is contained in:
parent
d4363d4477
commit
03424513ce
@ -74,7 +74,7 @@ export default ({ options, nuxt, renderRoute, resources }) => async function nux
|
||||
const isReportOnly = !!options.render.csp.reportOnly
|
||||
const cspHeader = isReportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
|
||||
|
||||
res.setHeader(cspHeader, getCspString({ cspScriptSrcHashes, allowedSources, policies, isDev: options.dev, isReportOnly }))
|
||||
res.setHeader(cspHeader, getCspString({ cspScriptSrcHashes, allowedSources, policies, isReportOnly }))
|
||||
}
|
||||
|
||||
// Send response
|
||||
@ -126,9 +126,9 @@ const defaultPushAssets = (preloadFiles, shouldPush, publicPath, options) => {
|
||||
return links
|
||||
}
|
||||
|
||||
const getCspString = ({ cspScriptSrcHashes, allowedSources, policies, isDev, isReportOnly }) => {
|
||||
const getCspString = ({ cspScriptSrcHashes, allowedSources, policies, isReportOnly }) => {
|
||||
const joinedHashes = cspScriptSrcHashes.join(' ')
|
||||
const baseCspStr = `script-src 'self'${isDev ? ' \'unsafe-eval\'' : ''} ${joinedHashes}`
|
||||
const baseCspStr = `script-src 'self' ${joinedHashes}`
|
||||
const policyObjectAvailable = typeof policies === 'object' && policies !== null && !Array.isArray(policies)
|
||||
|
||||
if (Array.isArray(allowedSources) && allowedSources.length) {
|
||||
|
@ -265,7 +265,7 @@ describe('server: nuxtMiddleware', () => {
|
||||
expect(res.setHeader).nthCalledWith(
|
||||
1,
|
||||
'Content-Security-Policy-Report-Only',
|
||||
"script-src 'self' 'unsafe-eval' sha256-hashes /nuxt/*.js /nuxt/images/*"
|
||||
"script-src 'self' sha256-hashes /nuxt/*.js /nuxt/images/*"
|
||||
)
|
||||
})
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user