Apply CSP for the sample site

jsakamoto · Jul 6, 2024 · 508e0fc · 508e0fc
1 parent 000aa97
commit 508e0fc
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
@@ -17,18 +17,22 @@ jobs:
         uses: actions/setup-dotnet@v4
         with:
           dotnet-version: 8.0.x
-          dotnet-quality: 'preview'
+          dotnet-quality: "preview"
       - name: Install .NET WebAssembly Tools
         run: dotnet workload install wasm-tools
 
       # Publish the site
       - name: Publish
         run: dotnet publish SampleSites/Client/SampleSite.Client.csproj -c:Release -o:public -p:GHPages=true -f:net8.0
 
+      # Fix the Content Security Policy (CSP)
+      - name: Fix CSP
+        run: sed -i "s|<meta http-equiv=\"content-security-policy\" content=\"default-src 'self'; font-src \*; connect-src 'self' ws://localhost:\* http://localhost:\*; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline' fonts\.googleapis\.com data:; img-src 'self' data:\"/>|<meta http-equiv=\"content-security-policy\" content=\"default-src 'self'; font-src *; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline' fonts.googleapis.com data:; img-src 'self' data:\"/>|" ./public/wwwroot/index.html
+
       # Deploy the site
       - name: Deploy
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@v4
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: public/wwwroot
-          force_orphan: true
+          force_orphan: true
diff --git a/SampleSites/Client/wwwroot/index.html b/SampleSites/Client/wwwroot/index.html
@@ -12,7 +12,7 @@
     <link href="_content/SampleSite.Components/css/site-custom.css" rel="stylesheet" />
     <link href="_content/SampleSite.Components/css/hot-keys-cheat-sheet.css" rel="stylesheet" />
     <link href="SampleSite.Client.styles.css" rel="stylesheet" />
-    <!-- <meta http-equiv="content-security-policy" content="base-uri 'self'; default-src 'self'; font-src *; connect-src *; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline' fonts.googleapis.com data:" /> -->
+    <meta http-equiv="content-security-policy" content="default-src 'self'; font-src *; connect-src 'self' ws://localhost:* http://localhost:*; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline' fonts.googleapis.com data:; img-src 'self' data:" />
 </head>
 
 <body>