miscweb:grunt: add necessary exceptions to CSP headers

**miscweb** - script-src: add 'wasm-unsafe-eval' for WebAssembly-driven search on bugs.jquery.com, bugs.jqueryui.com, and plugins.jquery.com - img-src: allow secure.gravatar.com images on plugins.jquery.com - media-src: allow content.jquery.com media on podcast.jquery.com **grunt** - script-src: add 'unsafe-eval' for the search functionality on gruntjs.com/plugins - the datatables plugin uses jQuery's eval. While later versions of jQuery switched to using script tags for eval, it would still require an exception. The best solution would be to re-implement search, but that will take time. Ref #54 Closes gh-63
jquery · Oct 20, 2024 · 0bb2e32 · 0bb2e32
1 parent 796c077
commit 0bb2e32
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 3 deletions.
diff --git a/modules/profile/templates/contentorigin/site.nginx.erb b/modules/profile/templates/contentorigin/site.nginx.erb
@@ -15,7 +15,15 @@ server {
 
   # Add Content Security Policy headers
   add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
-  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
+  add_header Content-Security-Policy-Report-Only "
+    default-src 'self';
+    script-src 'self' code.jquery.com;
+    connect-src 'self';
+    img-src 'self';
+    style-src 'self';
+    report-uri https://csp-report-api.openjs-foundation.workers.dev/;
+    report-to csp-endpoint
+  ";
 
   location / {
     root /srv/www/content.jquery.com;

diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb
@@ -19,7 +19,17 @@ server {
 
     # Add Content Security Policy headers
     add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
-    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint;" always;
+    # script-src: add 'unsafe-eval' for the search functionality on gruntjs.com/plugins
+    # Search will need to be reimplemented to remove this exception.
+    add_header Content-Security-Policy-Report-Only "
+      default-src 'self';
+      script-src 'self' 'unsafe-eval';
+      connect-src 'self';
+      img-src 'self';
+      style-src 'self';
+      report-uri https://csp-report-api.openjs-foundation.workers.dev/;
+      report-to csp-endpoint
+    " always;
   }
 
   location /.well-known/acme-challenge {

diff --git a/modules/profile/templates/miscweb/site.nginx.erb b/modules/profile/templates/miscweb/site.nginx.erb
@@ -20,7 +20,20 @@ server {
 
   # Add Content Security Policy headers
   add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
-  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
+  # script-src: add 'wasm-unsafe-eval' for WebAssembly-driven search on
+  #   bugs.jquery.com, bugs.jqueryui.com, and plugins.jquery.com
+  # img-src: allow secure.gravatar.com images on plugins.jquery.com
+  # media-src: allow content.jquery.com media on podcast.jquery.com
+  add_header Content-Security-Policy-Report-Only "
+    default-src 'self';
+    script-src 'self' 'wasm-unsafe-eval' code.jquery.com;
+    connect-src 'self';
+    img-src 'self' secure.gravatar.com;
+    style-src 'self';
+    media-src 'self' content.jquery.com;
+    report-uri https://csp-report-api.openjs-foundation.workers.dev/;
+    report-to csp-endpoint
+  ";
 
 <%- if @site['allow_php'] -%>
   index index.php index.html;