Merge branch 'csp-fixes' into 'master'

CSP fixes: allow inline scripts/styles, disable CSP on localhost See merge request BigDataBoutique/elastiquill!17
Omrisnyk · Apr 17, 2019 · 2490793 · 2490793
2 parents 8fe779e + 3c07b82
commit 2490793
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/backend/src/routes/index.js b/backend/src/routes/index.js
@@ -64,13 +64,15 @@ router.use(asyncHandler(async (req, res, next) => {
 
   res.locals.gaTrackingId = _.get(config, 'credentials.google.analytics-code', null);
   res.locals.adminRoute = config.blog['admin-route'];
+  res.locals.isLocalhost = config.blog.url.startsWith('http://localhost');
+
   res.locals.sidebarWidgetData = await cache.cacheAndReturn('sidebar-widget-data', async () => {
     const { items, allTags } = await blogPosts.getItems({ type: 'post', pageIndex: 0, pageSize: 10 });
     return {
       recentPosts: items.map(preparePost),
       allTags
     };
-  });
+  });  
 
   next();
 }));

diff --git a/backend/src/views/base/layouts/main.hbs b/backend/src/views/base/layouts/main.hbs
@@ -16,7 +16,9 @@
   <link rel="canonical" href="{{canonicalUrl}}" />
   {{/if}}
 
-  <meta http-equiv="Content-Security-Policy" content="default-src https:">
+  {{#unless isLocalhost}}
+  <meta http-equiv="Content-Security-Policy" content="default-src https: 'unsafe-inline'">
+  {{/unless}}
 
   <link rel="shortcut icon" href="/static/base/favicon/favicon.ico">
   <link rel="apple-touch-icon" sizes="180x180" href="/static/base/favicon/apple-touch-icon.png">