connect src, remove unsinline

saferwall · Feb 7, 2022 · 36f26b3 · 36f26b3
1 parent c6c0db8
commit 36f26b3
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 4 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -22,7 +22,7 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
       - run: yarn install
-      - run: yarn build --no-unsafe-inline
+      - run: yarn build
 
   docker-build:
     runs-on: ubuntu-20.04

diff --git a/Dockerfile b/Dockerfile
@@ -24,7 +24,7 @@ RUN yarn install
 COPY . .
 
 # build the app
-RUN yarn build --no-unsafe-inline
+RUN yarn build
 
 ############################
 # STEP 2 build a small image

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -23,11 +23,17 @@ done
 NGINX_CONF_FILE="/etc/nginx/conf.d/default.conf"
 INDEX_HTML_FILE="/usr/share/nginx/html/index.html";
 
+
+# api url csp
+sed -i "s~connect-src~connect-src $VUE_APP_BASE_URI~g" $NGINX_CONF_FILE
+sed -i "s~connect-src~connect-src $VUE_APP_API_BASE_URL~g" $NGINX_CONF_FILE
+
 # Add avatars url to csp
 if [ -z "${VUE_APP_AVATAR_BASE_URL}" ]; then
   echo "[Warn] VUE_APP_AVATAR_BASE_URL env value is not defined, it can cause problem on profile avatar image loading !"
 else
   sed -i "s~img-src~img-src $VUE_APP_AVATAR_BASE_URL~g" $NGINX_CONF_FILE
+  sed -i "s~connect-src~connect-src $VUE_APP_AVATAR_BASE_URL~g" $NGINX_CONF_FILE
 fi
 
 # Replace env in index.html
@@ -45,7 +51,7 @@ else
   sed -i "s/$HEAD_TAG/$GA_TAG\n$HEAD_TAG/g" $INDEX_HTML_FILE
 
   sed -i "s~script-src~script-src https://www.google-analytics.com~g" $NGINX_CONF_FILE
+  sed -i "s~connect-src~connect-src https://www.google-analytics.com~g" $NGINX_CONF_FILE
 fi
-
 echo "[Info] Starting Nginx ..."
 nginx -g 'daemon off;'
diff --git a/nginx.conf b/nginx.conf
@@ -17,7 +17,7 @@ server {
   add_header X-Frame-Options "DENY";
   add_header X-Content-Type-Options nosniff;
   add_header X-XSS-Protection "1; mode=block";
-  add_header Content-Security-Policy "default-src 'self'; font-src *; script-src 'unsafe-eval' 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; object-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data:;";
+  add_header Content-Security-Policy "default-src 'self'; font-src *; script-src 'unsafe-eval' 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; object-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data:; connect-src 'self';";
 
   location / {
     try_files $uri $uri/ @rewrites;