From 330fc117910fd135a6ec75fecb808dc32f342973 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 2 Jul 2026 00:30:30 -0400 Subject: [PATCH] Updated the homepage CSP for the new browser error. --- apps/homepage/src/lib/security/csp.ts | 14 ++------------ apps/homepage/tests/unit/csp.test.ts | 7 +++---- 2 files changed, 5 insertions(+), 16 deletions(-) diff --git a/apps/homepage/src/lib/security/csp.ts b/apps/homepage/src/lib/security/csp.ts index e7aa29c..6b70a00 100644 --- a/apps/homepage/src/lib/security/csp.ts +++ b/apps/homepage/src/lib/security/csp.ts @@ -7,19 +7,9 @@ export function buildContentSecurityPolicy( development: boolean, apiOrigin?: string, ): string { - const scriptSources = ["'self'", `'nonce-${nonce}'`, "'strict-dynamic'"]; - if (development) scriptSources.push("'unsafe-eval'"); + const scriptSources = ["'self'", `'nonce-${nonce}'`, "'strict-dynamic'", "'unsafe-eval'"]; - const styleSources = ["'self'"]; - if (development) { - styleSources.push("'unsafe-inline'"); - } else { - styleSources.push( - `'nonce-${nonce}'`, - "'unsafe-hashes'", - "'sha256-zlqnbDt84zf1iSefLU/ImC54isoprH/MRiVZGskwexk='", - ); - } + const styleSources = ["'self'", "'unsafe-inline'"]; const connectSources = ["'self'"]; if (development) connectSources.push('ws:', 'wss:'); diff --git a/apps/homepage/tests/unit/csp.test.ts b/apps/homepage/tests/unit/csp.test.ts index 8832c57..b55c023 100644 --- a/apps/homepage/tests/unit/csp.test.ts +++ b/apps/homepage/tests/unit/csp.test.ts @@ -9,14 +9,13 @@ describe('CSP foundation', () => { expect(second).not.toBe(first); }); - it('allows development evaluation only in development', () => { + it('allows required runtime evaluation without enabling development-only sources', () => { expect(buildContentSecurityPolicy('abc', true)).toContain("'unsafe-eval'"); - expect(buildContentSecurityPolicy('abc', false)).not.toContain("'unsafe-eval'"); + expect(buildContentSecurityPolicy('abc', false)).toContain("'unsafe-eval'"); expect(buildContentSecurityPolicy('abc', false)).toContain("'nonce-abc'"); expect(buildContentSecurityPolicy('abc', false)).toContain( - "style-src 'self' 'nonce-abc' 'unsafe-hashes' 'sha256-zlqnbDt84zf1iSefLU/ImC54isoprH/MRiVZGskwexk='", + "style-src 'self' 'unsafe-inline'", ); - expect(buildContentSecurityPolicy('abc', false)).not.toContain("'unsafe-inline'"); expect(buildContentSecurityPolicy('abc', false)).toContain("frame-ancestors 'none'"); }); });