diff --git a/public/_headers b/public/_headers index abb9940cef..d873245673 100644 --- a/public/_headers +++ b/public/_headers @@ -7,4 +7,5 @@ X-Download-Options: noopen X-Frame-Options: deny X-XSS-Protection: 1; mode=block - Referrer-Policy: same-origin \ No newline at end of file + Referrer-Policy: same-origin + Content-Security-Policy-Report-Only: default-src 'none'; img-src 'self' blob:; style-src 'self'; font-src 'self'; script-src 'self';connect-src 'self' api.ente.io; require-trusted-types-for 'script'; \ No newline at end of file diff --git a/src/pages/_document.tsx b/src/pages/_document.tsx index c8e71b68f0..d4c3dca4d4 100644 --- a/src/pages/_document.tsx +++ b/src/pages/_document.tsx @@ -9,30 +9,6 @@ const cspHashOf = (text) => { return `'sha256-${hash.digest('base64')}'`; }; -const convertToCSPString = (csp) => { - let cspStr = ''; - for (const k in csp) { - if (Object.prototype.hasOwnProperty.call(csp, k)) { - cspStr += `${k} ${csp[k]}; `; - } - } - return cspStr; -}; - -const BASE_CSP_DIRECTIVES = { - 'default-src': "'none'", - 'report-uri': 'https://csp-reporter.ente.workers.dev', - 'report-to': 'https://csp-reporter.ente.workers.dev', - 'style-src': "'self'", - 'font-src': "'self'", -}; - -const DEV_CSP_DIRECTIVES = { - 'default-src': "'self'", - 'style-src': "'self' 'unsafe-inline'", - 'font-src': "'self' data:", -}; - export default class MyDocument extends Document { static async getInitialProps(ctx) { const sheet = new ServerStyleSheet(); @@ -61,27 +37,16 @@ export default class MyDocument extends Document { } render() { - const scriptDirective = { - 'script-src': `'unsafe-inline' 'self' ${cspHashOf( - NextScript.getInlineScriptSource(this.props) - )}`, - }; - let csp = { - ...BASE_CSP_DIRECTIVES, - ...scriptDirective, - }; - if (process.env.NODE_ENV !== 'production') { - csp = { - ...csp, - ...DEV_CSP_DIRECTIVES, - }; - } + const scriptDirectiveWithHash = `script-src 'unsafe-inline' 'self' ${cspHashOf( + NextScript.getInlineScriptSource(this.props) + )};`; + return (