Fix nonce filter and csp test (#2508)

Shopify · Sep 9, 2024 · ed2657b · ed2657b
1 parent d633e49
commit ed2657b
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/packages/hydrogen/src/csp/csp.test.ts b/packages/hydrogen/src/csp/csp.test.ts
@@ -18,7 +18,7 @@ afterEach(() => {
 describe('createContentSecurityPolicy', () => {
   it('creates default policy', () => {
     expect(createContentSecurityPolicy().header).toMatchInlineSnapshot(
-      `"base-uri 'self'; default-src 'self' 'nonce-somenonce' https://cdn.shopify.com https://shopify.com; frame-ancestors 'none'; style-src 'self' 'unsafe-inline' https://cdn.shopify.com; connect-src 'self' https://monorail-edge.shopifysvc.com"`,
+      `"base-uri 'self'; default-src 'self' https://cdn.shopify.com https://shopify.com 'nonce-somenonce'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline' https://cdn.shopify.com; connect-src 'self' https://monorail-edge.shopifysvc.com"`,
     );
   });
 
@@ -28,7 +28,7 @@ describe('createContentSecurityPolicy', () => {
         styleSrc: ['https://some-custom-css.cdn'],
       }).header,
     ).toMatchInlineSnapshot(
-      `"base-uri 'self'; default-src 'self' 'nonce-somenonce' https://cdn.shopify.com https://shopify.com; frame-ancestors 'none'; style-src https://some-custom-css.cdn 'self' 'unsafe-inline' https://cdn.shopify.com; connect-src 'self' https://monorail-edge.shopifysvc.com"`,
+      `"base-uri 'self'; default-src 'self' https://cdn.shopify.com https://shopify.com 'nonce-somenonce'; frame-ancestors 'none'; style-src https://some-custom-css.cdn 'self' 'unsafe-inline' https://cdn.shopify.com; connect-src 'self' https://monorail-edge.shopifysvc.com"`,
     );
   });
 
@@ -41,7 +41,7 @@ describe('createContentSecurityPolicy', () => {
         },
       }).header,
     ).toMatchInlineSnapshot(
-      `"base-uri 'self'; default-src 'self' 'nonce-somenonce' https://cdn.shopify.com https://shopify.com; frame-ancestors 'none'; style-src 'self' 'unsafe-inline' https://cdn.shopify.com; connect-src 'self' https://monorail-edge.shopifysvc.com https://checkout.myshopify.com https://test.myshopify.com"`,
+      `"base-uri 'self'; default-src 'self' https://cdn.shopify.com https://shopify.com 'nonce-somenonce'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline' https://cdn.shopify.com; connect-src 'self' https://monorail-edge.shopifysvc.com https://checkout.myshopify.com https://test.myshopify.com"`,
     );
   });
 

diff --git a/packages/hydrogen/src/csp/csp.ts b/packages/hydrogen/src/csp/csp.ts
@@ -146,12 +146,12 @@ function createCSPHeader(
   // shouldn't use our utilities and just manually create their CSP.
   if (combinedDirectives.scriptSrc instanceof Array) {
     combinedDirectives.scriptSrc = [
-      ...combinedDirectives.scriptSrc.filter((ss) => !ss.startsWith('nonce')),
+      ...combinedDirectives.scriptSrc.filter((ss) => !ss.startsWith(`'nonce`)),
       nonceString,
     ];
   } else if (combinedDirectives.defaultSrc instanceof Array) {
     combinedDirectives.defaultSrc = [
-      ...combinedDirectives.defaultSrc.filter((ss) => !ss.startsWith('nonce')),
+      ...combinedDirectives.defaultSrc.filter((ss) => !ss.startsWith(`'nonce`)),
       nonceString,
     ];
   }