Fix vulnerability in content-security-policy (#356)

* add update-caches key in cdn-caching.js * chore(release): 7.18.9-support-inline-js.0 * Add extra parameter * chore(release): 7.18.9-support-inline-js.1 * Change CSP script src * chore(release): 7.18.9-support-inline-js.2 * Add semi colon * chore(release): 7.18.9-support-inline-js.3
quintype · May 8, 2023 · 2375705 · 2375705
1 parent 2016f0f
commit 2375705
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 127 deletions.
diff --git a/package.json b/package.json
@@ -31,7 +31,7 @@
   "homepage": "https://github.com/quintype/quintype-node-framework#readme",
   "dependencies": {
     "@ampproject/toolbox-optimizer": "2.8.3",
-    "@quintype/amp": "^2.11.0",
+    "@quintype/amp": "^2.10.0",
     "@quintype/backend": "^2.3.3",
     "@quintype/components": "^3.3.0",
     "@quintype/prerender-node": "^3.2.26",

diff --git a/server/handlers/cdn-caching.js b/server/handlers/cdn-caching.js
@@ -20,7 +20,7 @@ exports.addCacheHeadersToResult = function addCacheHeadersToResult({
       res.setHeader(
         "Content-Security-Policy",
         `default-src data: 'unsafe-inline' 'unsafe-eval' https: http:;` +
-          `script-src data: 'unsafe-inline' 'unsafe-eval' https: http: blob:;` +
+          `script-src 'self' https://cdnjs.cloudflare.com;` +
           `style-src data: 'unsafe-inline' https: http: blob:;` +
           `img-src data: https: http: blob:;` +
           `font-src data: https: http:;` +
@@ -60,7 +60,7 @@ exports.addCacheHeadersToResult = function addCacheHeadersToResult({
       res.setHeader(
         "Content-Security-Policy",
         `default-src data: 'unsafe-inline' 'unsafe-eval' https: http:;` +
-          `script-src data: 'unsafe-inline' 'unsafe-eval' https: http: blob:;` +
+          `script-src 'self' https://cdnjs.cloudflare.com;` +
           `style-src data: 'unsafe-inline' https: http: blob:;` +
           `img-src data: https: http: blob:;` +
           `font-src data: https: http:;` +
@@ -80,7 +80,7 @@ exports.addCacheHeadersToResult = function addCacheHeadersToResult({
     res.setHeader(
       "Content-Security-Policy",
       `default-src data: 'unsafe-inline' 'unsafe-eval' https: http:;` +
-        `script-src data: 'unsafe-inline' 'unsafe-eval' https: http: blob:;` +
+        `script-src 'self' https://cdnjs.cloudflare.com;` +
         `style-src data: 'unsafe-inline' https: http: blob:;` +
         `img-src data: https: http: blob:;` +
         `font-src data: https: http:;` +