From 30c0e6d1d7d95bed011e79db9616bf2e49ea54ce Mon Sep 17 00:00:00 2001
From: Hariom Balhara <hariombalhara@gmail.com>
Date: Tue, 7 Feb 2023 04:20:08 +0530
Subject: [PATCH 1/3] Beginning of Strict CSP Compliance (#6841)

* Add CSP Support and enable it initially for Login page

* Update README

* Make sure that CSP is not enabled if CSP_POLICY isnt set

* Add a new value for x-csp header that tells if instance has opted-in to CSP or not

* Add more src to CSP

* Fix typo in header name

* Remove duplicate headers fn

* Add https://eu.ui-avatars.com/api/

* Add CSP_POLICY to env.example
---
 .env.example                                  |  3 +
 README.md                                     |  2 +
 apps/web/lib/app-providers.tsx                |  5 +-
 apps/web/lib/csp.ts                           | 83 +++++++++++++++++++
 apps/web/lib/withNonce.tsx                    | 41 +++++++++
 apps/web/middleware.ts                        | 19 ++++-
 apps/web/next.config.js                       | 19 +++++
 apps/web/pages/_app.tsx                       | 16 +++-
 apps/web/pages/_document.tsx                  | 67 ++++-----------
 apps/web/pages/auth/login.tsx                 | 11 ++-
 apps/web/public/embed-init-iframe.js          | 26 ++++++
 .../embeds/embed-core/src/embed-iframe.ts     |  1 -
 packages/types/environment.d.ts               |  5 ++
 turbo.json                                    |  3 +-
 14 files changed, 243 insertions(+), 58 deletions(-)
 create mode 100644 apps/web/lib/csp.ts
 create mode 100644 apps/web/lib/withNonce.tsx
 create mode 100644 apps/web/public/embed-init-iframe.js

diff --git a/.env.example b/.env.example
index ebe85373858b6e..cffb8c02d192d7 100644
--- a/.env.example
+++ b/.env.example
@@ -157,3 +157,6 @@ NEXT_PUBLIC_COMPANY_NAME="Cal.com, Inc."
 # Set this to true in to disable new signups
 # NEXT_PUBLIC_DISABLE_SIGNUP=true
 NEXT_PUBLIC_DISABLE_SIGNUP=
+
+# Content Security Policy
+CSP_POLICY=
diff --git a/README.md b/README.md
index 69454c9faeee71..4b8ffab14e43d7 100644
--- a/README.md
+++ b/README.md
@@ -350,7 +350,9 @@ Don't code but still want to contribute? Join our [slack](https://cal.com/slack)
 
 ![ar translation](https://img.shields.io/badge/dynamic/json?color=blue&label=ar&style=flat&logo=crowdin&query=%24.progress.0.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![bg translation](https://img.shields.io/badge/dynamic/json?color=blue&label=bg&style=flat&logo=crowdin&query=%24.progress.1.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![cs translation](https://img.shields.io/badge/dynamic/json?color=blue&label=cs&style=flat&logo=crowdin&query=%24.progress.2.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![de translation](https://img.shields.io/badge/dynamic/json?color=blue&label=de&style=flat&logo=crowdin&query=%24.progress.3.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![el translation](https://img.shields.io/badge/dynamic/json?color=blue&label=el&style=flat&logo=crowdin&query=%24.progress.4.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![en translation](https://img.shields.io/badge/dynamic/json?color=blue&label=en&style=flat&logo=crowdin&query=%24.progress.5.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![es translation](https://img.shields.io/badge/dynamic/json?color=blue&label=es&style=flat&logo=crowdin&query=%24.progress.6.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![es-419 translation](https://img.shields.io/badge/dynamic/json?color=blue&label=es-419&style=flat&logo=crowdin&query=%24.progress.7.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![fr translation](https://img.shields.io/badge/dynamic/json?color=blue&label=fr&style=flat&logo=crowdin&query=%24.progress.8.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![he translation](https://img.shields.io/badge/dynamic/json?color=blue&label=he&style=flat&logo=crowdin&query=%24.progress.9.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![hu translation](https://img.shields.io/badge/dynamic/json?color=blue&label=hu&style=flat&logo=crowdin&query=%24.progress.10.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![it translation](https://img.shields.io/badge/dynamic/json?color=blue&label=it&style=flat&logo=crowdin&query=%24.progress.11.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![ja translation](https://img.shields.io/badge/dynamic/json?color=blue&label=ja&style=flat&logo=crowdin&query=%24.progress.12.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![ko translation](https://img.shields.io/badge/dynamic/json?color=blue&label=ko&style=flat&logo=crowdin&query=%24.progress.13.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![nl translation](https://img.shields.io/badge/dynamic/json?color=blue&label=nl&style=flat&logo=crowdin&query=%24.progress.14.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![no translation](https://img.shields.io/badge/dynamic/json?color=blue&label=no&style=flat&logo=crowdin&query=%24.progress.15.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![pl translation](https://img.shields.io/badge/dynamic/json?color=blue&label=pl&style=flat&logo=crowdin&query=%24.progress.16.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![pt translation](https://img.shields.io/badge/dynamic/json?color=blue&label=pt&style=flat&logo=crowdin&query=%24.progress.17.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![pt-BR translation](https://img.shields.io/badge/dynamic/json?color=blue&label=pt-BR&style=flat&logo=crowdin&query=%24.progress.18.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![ro translation](https://img.shields.io/badge/dynamic/json?color=blue&label=ro&style=flat&logo=crowdin&query=%24.progress.19.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![ru translation](https://img.shields.io/badge/dynamic/json?color=blue&label=ru&style=flat&logo=crowdin&query=%24.progress.20.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![sr translation](https://img.shields.io/badge/dynamic/json?color=blue&label=sr&style=flat&logo=crowdin&query=%24.progress.21.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![sv translation](https://img.shields.io/badge/dynamic/json?color=blue&label=sv&style=flat&logo=crowdin&query=%24.progress.22.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![tr translation](https://img.shields.io/badge/dynamic/json?color=blue&label=tr&style=flat&logo=crowdin&query=%24.progress.23.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![uk translation](https://img.shields.io/badge/dynamic/json?color=blue&label=uk&style=flat&logo=crowdin&query=%24.progress.24.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![vi translation](https://img.shields.io/badge/dynamic/json?color=blue&label=vi&style=flat&logo=crowdin&query=%24.progress.25.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![zh-CN translation](https://img.shields.io/badge/dynamic/json?color=blue&label=zh-CN&style=flat&logo=crowdin&query=%24.progress.26.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json) ![zh-TW translation](https://img.shields.io/badge/dynamic/json?color=blue&label=zh-TW&style=flat&logo=crowdin&query=%24.progress.27.data.translationProgress&url=https%3A%2F%2Fbadges.awesome-crowdin.com%2Fstats-200011276-1.json)
 
+## Enabling Content Security Policy
 
+- Set CSP_POLICY="non-strict" env variable, which enables [Strict CSP](https://web.dev/strict-csp/) except for unsafe-inline in style-src . If you have some custom changes in your instance, you might have to make some code change to make your instance CSP compatible. Right now it enables strict CSP only on login page and on other SSR pages it is enabled in Report only mode to detect possible issues. On, SSG pages it is still not supported.
 
 ## Integrations
 
diff --git a/apps/web/lib/app-providers.tsx b/apps/web/lib/app-providers.tsx
index 276a2721ded0f5..78b43d3d59964c 100644
--- a/apps/web/lib/app-providers.tsx
+++ b/apps/web/lib/app-providers.tsx
@@ -13,18 +13,20 @@ import { trpc } from "@calcom/trpc/react";
 import { MetaProvider } from "@calcom/ui";
 
 import usePublicPage from "@lib/hooks/usePublicPage";
+import { WithNonceProps } from "@lib/withNonce";
 
 const I18nextAdapter = appWithTranslation<NextJsAppProps<SSRConfig> & { children: React.ReactNode }>(
   ({ children }) => <>{children}</>
 );
 
 // Workaround for https://github.com/vercel/next.js/issues/8592
-export type AppProps = Omit<NextAppProps, "Component"> & {
+export type AppProps = Omit<NextAppProps<WithNonceProps & Record<string, unknown>>, "Component"> & {
   Component: NextAppProps["Component"] & {
     requiresLicense?: boolean;
     isThemeSupported?: boolean | ((arg: { router: NextRouter }) => boolean);
     getLayout?: (page: React.ReactElement, router: NextRouter) => ReactNode;
   };
+
   /** Will be defined only is there was an error */
   err?: Error;
 };
@@ -77,6 +79,7 @@ const AppProviders = (props: AppPropsWithChildren) => {
           <TooltipProvider>
             {/* color-scheme makes background:transparent not work which is required by embed. We need to ensure next-theme adds color-scheme to `body` instead of `html`(https://github.com/pacocoursey/next-themes/blob/main/src/index.tsx#L74). Once that's done we can enable color-scheme support */}
             <ThemeProvider
+              nonce={props.pageProps.nonce}
               enableColorScheme={false}
               storageKey={storageKey}
               forcedTheme={forcedTheme}
diff --git a/apps/web/lib/csp.ts b/apps/web/lib/csp.ts
new file mode 100644
index 00000000000000..8505f99dc7fc0d
--- /dev/null
+++ b/apps/web/lib/csp.ts
@@ -0,0 +1,83 @@
+import crypto from "crypto";
+import { IncomingMessage, OutgoingMessage } from "http";
+import { z } from "zod";
+
+import { IS_PRODUCTION } from "@calcom/lib/constants";
+
+function getCspPolicy(nonce: string) {
+  //TODO: Do we need to explicitly define it in turbo.json
+  const CSP_POLICY = process.env.CSP_POLICY;
+
+  // Note: "non-strict" policy only allows inline styles otherwise it's the same as "strict"
+  // We can remove 'unsafe-inline' from style-src when we add nonces to all style tags
+  // Maybe see how @next-safe/middleware does it if it's supported.
+  const useNonStrictPolicy = CSP_POLICY === "non-strict";
+
+  return `
+	  default-src 'self' ${IS_PRODUCTION ? "" : "data:"};
+	  script-src ${
+      IS_PRODUCTION
+        ? // 'self' 'unsafe-inline' https: added for Browsers not supporting strict-dynamic not supporting strict-dynamic
+          "'nonce-" + nonce + "' 'strict-dynamic' 'self' 'unsafe-inline' https:"
+        : // Note: We could use 'strict-dynamic' with 'nonce-..' instead of unsafe-inline but there are some streaming related scripts that get blocked(because they don't have nonce on them). It causes a really frustrating full page error model by Next.js to show up sometimes
+          "'unsafe-inline' 'unsafe-eval' https: http:"
+    };
+    object-src 'none';
+    base-uri 'none';
+	  child-src app.cal.com;
+	  style-src 'self' ${
+      IS_PRODUCTION ? (useNonStrictPolicy ? "'unsafe-inline'" : "") : "'unsafe-inline'"
+    } app.cal.com;
+	  font-src 'self';
+	  img-src 'self' https://www.gravatar.com https://img.youtube.com https://eu.ui-avatars.com/api/ data:
+	`;
+}
+
+// Taken from @next-safe/middleware
+const isPagePathRequest = (url: URL) => {
+  const isNonPagePathPrefix = /^\/(?:_next|api)\//;
+  const isFile = /\..*$/;
+  const { pathname } = url;
+  return !isNonPagePathPrefix.test(pathname) && !isFile.test(pathname);
+};
+
+export function csp(req: IncomingMessage | null, res: OutgoingMessage | null) {
+  if (!req) {
+    return { nonce: undefined };
+  }
+  const existingNonce = req.headers["x-nonce"];
+  if (existingNonce) {
+    const existingNoneParsed = z.string().safeParse(existingNonce);
+    return { nonce: existingNoneParsed.success ? existingNoneParsed.data : "" };
+  }
+  if (!req.url) {
+    return { nonce: undefined };
+  }
+  const CSP_POLICY = process.env.CSP_POLICY;
+  const cspEnabledForInstance = CSP_POLICY;
+  const nonce = crypto.randomBytes(16).toString("base64");
+
+  const parsedUrl = new URL(req.url, "http://base_url");
+  const cspEnabledForPage = cspEnabledForInstance && isPagePathRequest(parsedUrl);
+  if (!cspEnabledForPage) {
+    return {
+      nonce: undefined,
+    };
+  }
+  // Set x-nonce request header to be used by `getServerSideProps` or similar fns and `Document.getInitialProps` to read the nonce from
+  // It is generated for all page requests but only used by pages that need CSP
+  req.headers["x-nonce"] = nonce;
+
+  if (res) {
+    res.setHeader(
+      req.headers["x-csp-enforce"] === "true"
+        ? "Content-Security-Policy"
+        : "Content-Security-Policy-Report-Only",
+      getCspPolicy(nonce)
+        .replace(/\s{2,}/g, " ")
+        .trim()
+    );
+  }
+
+  return { nonce };
+}
diff --git a/apps/web/lib/withNonce.tsx b/apps/web/lib/withNonce.tsx
new file mode 100644
index 00000000000000..a07f901b8ffab3
--- /dev/null
+++ b/apps/web/lib/withNonce.tsx
@@ -0,0 +1,41 @@
+import { GetServerSideProps, GetServerSidePropsContext } from "next";
+
+import { csp } from "@lib/csp";
+
+export type WithNonceProps = {
+  nonce?: string;
+};
+
+/**
+ * Make any getServerSideProps fn return the nonce so that it can be used by Components in the page to add any script tag.
+ * Note that if the Components are not adding any script tag then this is not needed. Even in absence of this, Document.getInitialProps would be able to generate nonce itself which it needs to add script tags common to all pages
+ * There is no harm in wrapping a `getServerSideProps` fn with this even if it doesn't add any script tag.
+ */
+export default function withNonce(getServerSideProps: GetServerSideProps) {
+  return async (context: GetServerSidePropsContext) => {
+    const ssrResponse = await getServerSideProps(context);
+    const { nonce } = csp(context.req, context.res);
+
+    // Skip nonce property if it's not available instead of setting it to undefined because undefined can't be serialized.
+    const nonceProps = nonce
+      ? {
+          nonce,
+        }
+      : null;
+
+    if (!("props" in ssrResponse)) {
+      return ssrResponse;
+    }
+
+    // Helps in debugging that withNonce was used but a valid nonce couldn't be set
+    context.res.setHeader("x-csp", nonce ? "ssr" : "false");
+
+    return {
+      ...ssrResponse,
+      props: {
+        ...ssrResponse.props,
+        ...nonceProps,
+      },
+    };
+  };
+}
diff --git a/apps/web/middleware.ts b/apps/web/middleware.ts
index 4be198227c3565..4fcc97add528ef 100644
--- a/apps/web/middleware.ts
+++ b/apps/web/middleware.ts
@@ -36,11 +36,28 @@ const middleware: NextMiddleware = async (req) => {
     return NextResponse.rewrite(url);
   }
 
+  if (url.pathname.startsWith("/auth/login")) {
+    const moreHeaders = new Headers();
+    // Use this header to actually enforce CSP, otherwise it is running in Report Only mode on all pages.
+    moreHeaders.set("x-csp-enforce", "true");
+    return NextResponse.next({
+      request: {
+        headers: moreHeaders,
+      },
+    });
+  }
+
   return NextResponse.next();
 };
 
 export const config = {
-  matcher: ["/api/collect-events/:path*", "/api/auth/:path*", "/apps/routing_forms/:path*", "/:path*/embed"],
+  matcher: [
+    "/api/collect-events/:path*",
+    "/api/auth/:path*",
+    "/apps/routing_forms/:path*",
+    "/:path*/embed",
+    "/auth/login",
+  ],
 };
 
 export default collectEvents({
diff --git a/apps/web/next.config.js b/apps/web/next.config.js
index c3afcc7ac6a339..b76ea1b273436d 100644
--- a/apps/web/next.config.js
+++ b/apps/web/next.config.js
@@ -35,6 +35,12 @@ if (!process.env.NEXT_PUBLIC_WEBSITE_URL) {
   process.env.NEXT_PUBLIC_WEBSITE_URL = process.env.NEXT_PUBLIC_WEBAPP_URL;
 }
 
+if (process.env.CSP_POLICY === "strict" && process.env.NODE_ENV === "production") {
+  throw new Error(
+    "Strict CSP policy(for style-src) is not yet supported in production. You can experiment with it in Dev Mode"
+  );
+}
+
 if (!process.env.EMAIL_FROM) {
   console.warn(
     "\x1b[33mwarn",
@@ -188,6 +194,19 @@ const nextConfig = {
           },
         ],
       },
+      {
+        source: "/:path*",
+        headers: [
+          {
+            key: "X-Content-Type-Options",
+            value: "nosniff",
+          },
+          {
+            key: "Referrer-Policy",
+            value: "strict-origin-when-cross-origin",
+          },
+        ],
+      },
     ];
   },
   async redirects() {
diff --git a/apps/web/pages/_app.tsx b/apps/web/pages/_app.tsx
index f3d7a12b844e27..053a2a3ea9160e 100644
--- a/apps/web/pages/_app.tsx
+++ b/apps/web/pages/_app.tsx
@@ -29,13 +29,27 @@ function MyApp(props: AppProps) {
   } else if (router.pathname === "/500") {
     pageStatus = "500";
   }
+
+  // On client side don't let nonce creep into DOM
+  // It also avoids hydration warning that says that Client has the nonce value but server has "" because browser removes nonce attributes before DOM is built
+  // See https://github.com/kentcdodds/nonce-hydration-issues
+  // Set "" only if server had it set otherwise keep it undefined because server has to match with client to avoid hydration error
+  const nonce = typeof window !== "undefined" ? (pageProps.nonce ? "" : undefined) : pageProps.nonce;
+  const providerProps = {
+    ...props,
+    pageProps: {
+      ...props.pageProps,
+      nonce,
+    },
+  };
   // Use the layout defined at the page level, if available
   const getLayout = Component.getLayout ?? ((page) => page);
   return (
-    <AppProviders {...props}>
+    <AppProviders {...providerProps}>
       <DefaultSeo {...seoConfig.defaultNextSeo} />
       <I18nLanguageHandler />
       <Script
+        nonce={nonce}
         id="page-status"
         dangerouslySetInnerHTML={{ __html: `window.CalComPageStatus = '${pageStatus}'` }}
       />
diff --git a/apps/web/pages/_document.tsx b/apps/web/pages/_document.tsx
index b0d4a4cbfd3e64..c5a42edc03b33d 100644
--- a/apps/web/pages/_document.tsx
+++ b/apps/web/pages/_document.tsx
@@ -1,58 +1,36 @@
 import Document, { DocumentContext, Head, Html, Main, NextScript, DocumentProps } from "next/document";
 import Script from "next/script";
+import { z } from "zod";
 
 import { getDirFromLang } from "@calcom/lib/i18n";
 
-type Props = Record<string, unknown> & DocumentProps;
-
-function toRunBeforeReactOnClient() {
-  const calEmbedMode = typeof new URL(document.URL).searchParams.get("embed") === "string";
-  /* Iframe Name */
-  window.name.includes("cal-embed");
-
-  window.isEmbed = () => {
-    // Once an embed mode always an embed mode
-    return calEmbedMode;
-  };
-
-  window.resetEmbedStatus = () => {
-    try {
-      // eslint-disable-next-line @calcom/eslint/avoid-web-storage
-      window.sessionStorage.removeItem("calEmbedMode");
-    } catch (e) {}
-  };
-
-  window.getEmbedTheme = () => {
-    const url = new URL(document.URL);
-    return url.searchParams.get("theme") as "dark" | "light";
-  };
+import { csp } from "@lib/csp";
 
-  window.getEmbedNamespace = () => {
-    const url = new URL(document.URL);
-    const namespace = url.searchParams.get("embed");
-    return namespace;
-  };
-
-  window.isPageOptimizedForEmbed = () => {
-    // Those pages are considered optimized, which know at backend that they are rendering for embed.
-    // Such pages can be shown straightaway without a loader for a better embed experience
-    return location.pathname.includes("forms/");
-  };
-}
+type Props = Record<string, unknown> & DocumentProps;
 
 class MyDocument extends Document<Props> {
   static async getInitialProps(ctx: DocumentContext) {
+    const { nonce } = csp(ctx.req || null, ctx.res || null);
+    if (!process.env.CSP_POLICY) {
+      ctx.res?.setHeader("x-csp", "not-opted-in");
+    } else if (!ctx.res?.getHeader("x-csp")) {
+      // If x-csp not set by gSSP, then it's initialPropsOnly
+      ctx.res?.setHeader("x-csp", "initialPropsOnly");
+    }
     const isEmbed = ctx.asPath?.includes("/embed") || ctx.asPath?.includes("embedType=");
     const initialProps = await Document.getInitialProps(ctx);
-    return { isEmbed, ...initialProps };
+    return { isEmbed, nonce, ...initialProps };
   }
 
   render() {
     const { locale } = this.props.__NEXT_DATA__;
+    const { isEmbed } = this.props;
+    const nonceParsed = z.string().safeParse(this.props.nonce);
+    const nonce = nonceParsed.success ? nonceParsed.data : "";
     const dir = getDirFromLang(locale);
     return (
       <Html lang={locale} dir={dir}>
-        <Head>
+        <Head nonce={nonce}>
           <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
           <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
           <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
@@ -68,22 +46,13 @@ class MyDocument extends Document<Props> {
             crossOrigin="anonymous"
           />
           <link rel="preload" href="/fonts/cal.ttf" as="font" type="font/ttf" crossOrigin="anonymous" />
-          {/* Define isEmbed here so that it can be shared with App(embed-iframe) as well as the following code to change background and hide body
-            Persist the embed mode in sessionStorage because query param might get lost during browsing.
-          */}
-          <Script
-            id="run-before-client"
-            strategy="beforeInteractive"
-            dangerouslySetInnerHTML={{
-              __html: `(${toRunBeforeReactOnClient.toString()})()`,
-            }}
-          />
+          <Script src="/embed-init-iframe.js" strategy="beforeInteractive" />
         </Head>
 
         <body
           className="dark:bg-darkgray-50 desktop-transparent bg-gray-100 antialiased"
           style={
-            this.props.isEmbed
+            isEmbed
               ? {
                   background: "transparent",
                   // Keep the embed hidden till parent initializes and
@@ -95,7 +64,7 @@ class MyDocument extends Document<Props> {
               : {}
           }>
           <Main />
-          <NextScript />
+          <NextScript nonce={nonce} />
         </body>
       </Html>
     );
diff --git a/apps/web/pages/auth/login.tsx b/apps/web/pages/auth/login.tsx
index 8144f48bc9dcb2..0304b3d3a3c9c4 100644
--- a/apps/web/pages/auth/login.tsx
+++ b/apps/web/pages/auth/login.tsx
@@ -19,6 +19,7 @@ import { Alert, Button, EmailField, PasswordField } from "@calcom/ui";
 import { FiArrowLeft } from "@calcom/ui/components/icon";
 
 import { inferSSRProps } from "@lib/types/inferSSRProps";
+import withNonce, { WithNonceProps } from "@lib/withNonce";
 
 import AddToHomescreen from "@components/AddToHomescreen";
 import TwoFactor from "@components/auth/TwoFactor";
@@ -40,7 +41,7 @@ export default function Login({
   isSAMLLoginEnabled,
   samlTenantID,
   samlProductID,
-}: inferSSRProps<typeof getServerSideProps>) {
+}: inferSSRProps<typeof _getServerSideProps> & WithNonceProps) {
   const { t } = useLocale();
   const router = useRouter();
   const methods = useForm<LoginValues>();
@@ -205,7 +206,8 @@ export default function Login({
   );
 }
 
-export async function getServerSideProps(context: GetServerSidePropsContext) {
+// TODO: Once we understand how to retrieve prop types automatically from getServerSideProps, remove this temporary variable
+const _getServerSideProps = async function getServerSideProps(context: GetServerSidePropsContext) {
   const { req } = context;
   const session = await getSession({ req });
   const ssr = await ssrInit(context);
@@ -229,7 +231,6 @@ export async function getServerSideProps(context: GetServerSidePropsContext) {
       },
     };
   }
-
   return {
     props: {
       csrfToken: await getCsrfToken(context),
@@ -240,4 +241,6 @@ export async function getServerSideProps(context: GetServerSidePropsContext) {
       samlProductID,
     },
   };
-}
+};
+
+export const getServerSideProps = withNonce(_getServerSideProps);
diff --git a/apps/web/public/embed-init-iframe.js b/apps/web/public/embed-init-iframe.js
new file mode 100644
index 00000000000000..73d5778714c102
--- /dev/null
+++ b/apps/web/public/embed-init-iframe.js
@@ -0,0 +1,26 @@
+const calEmbedMode = typeof new URL(document.URL).searchParams.get("embed") === "string";
+/* Iframe Name */
+window.name.includes("cal-embed");
+
+window.isEmbed = () => {
+  // Once an embed mode always an embed mode
+  return calEmbedMode;
+};
+
+window.resetEmbedStatus = () => {
+  try {
+    // eslint-disable-next-line @calcom/eslint/avoid-web-storage
+    window.sessionStorage.removeItem("calEmbedMode");
+  } catch (e) {}
+};
+
+window.getEmbedTheme = () => {
+  const url = new URL(document.URL);
+  return url.searchParams.get("theme");
+};
+
+window.getEmbedNamespace = () => {
+  const url = new URL(document.URL);
+  const namespace = url.searchParams.get("embed");
+  return namespace;
+};
diff --git a/packages/embeds/embed-core/src/embed-iframe.ts b/packages/embeds/embed-core/src/embed-iframe.ts
index 24e4dd017e8bd6..addb35057270a3 100644
--- a/packages/embeds/embed-core/src/embed-iframe.ts
+++ b/packages/embeds/embed-core/src/embed-iframe.ts
@@ -19,7 +19,6 @@ declare global {
     resetEmbedStatus: () => void;
     getEmbedNamespace: () => string | null;
     getEmbedTheme: () => "dark" | "light" | null;
-    isPageOptimizedForEmbed: (calLink: string) => boolean;
   }
 }
 
diff --git a/packages/types/environment.d.ts b/packages/types/environment.d.ts
index e398409c1f01a4..3f14b8fcb715a9 100644
--- a/packages/types/environment.d.ts
+++ b/packages/types/environment.d.ts
@@ -53,5 +53,10 @@ declare namespace NodeJS {
     readonly NEXT_PUBLIC_APP_NAME: string | "Cal";
     readonly NEXT_PUBLIC_SUPPORT_MAIL_ADDRESS: string | "help@cal.com";
     readonly NEXT_PUBLIC_COMPANY_NAME: string | "Cal.com, Inc.";
+    /**
+     *  "strict" -> Strict CSP
+     *  "non-strict" -> Strict CSP except the usage of unsafe-inline for `style-src`
+     */
+    readonly CSP_POLICY: "strict" | "non-strict";
   }
 }
diff --git a/turbo.json b/turbo.json
index 1737ab745d1580..680eb1e529e02d 100644
--- a/turbo.json
+++ b/turbo.json
@@ -69,7 +69,8 @@
         "$DATOCMS_GRAPHQL_ENDPOINT",
         "$DATOCMS_API_TOKEN",
         "$STRIPE_SUPPORT_TABLE",
-        "$ENVIRONMENT_URL"
+        "$ENVIRONMENT_URL",
+        "$CSP_POLICY"
       ],
       "outputs": [".next/**"]
     },

From bdb4a7353b02e369f433b9b4208b3cbdaa461634 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Omar=20L=C3=B3pez?= <zomars@me.com>
Date: Mon, 6 Feb 2023 16:12:11 -0700
Subject: [PATCH 2/3] v2.5.10

---
 apps/web/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/web/package.json b/apps/web/package.json
index 6136a64cb55475..4ff1a899ca6ec6 100644
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@calcom/web",
-  "version": "2.5.9",
+  "version": "2.5.10",
   "private": true,
   "scripts": {
     "analyze": "ANALYZE=true next build",

From cfc3644d512b40d94b4a239cb0f2213d56ac7b7c Mon Sep 17 00:00:00 2001
From: Udit Takkar <53316345+Udit-takkar@users.noreply.github.com>
Date: Tue, 7 Feb 2023 18:12:47 +0530
Subject: [PATCH 3/3] fix: add req.headers (#6921)

Signed-off-by: Udit Takkar <udit.07814802719@cse.mait.ac.in>
---
 apps/web/middleware.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/web/middleware.ts b/apps/web/middleware.ts
index 4fcc97add528ef..d461f4b68684dd 100644
--- a/apps/web/middleware.ts
+++ b/apps/web/middleware.ts
@@ -37,7 +37,7 @@ const middleware: NextMiddleware = async (req) => {
   }
 
   if (url.pathname.startsWith("/auth/login")) {
-    const moreHeaders = new Headers();
+    const moreHeaders = new Headers(req.headers);
     // Use this header to actually enforce CSP, otherwise it is running in Report Only mode on all pages.
     moreHeaders.set("x-csp-enforce", "true");
     return NextResponse.next({