From 30bc3b612a33da5886fc4fec7a743c260c2a91ca Mon Sep 17 00:00:00 2001
From: ekzyis <ek@stacker.news>
Date: Wed, 14 Feb 2024 15:45:00 +0100
Subject: [PATCH] Fix comment (unsafe-eval isn't used in prod) (#825)

---
 middleware.js | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/middleware.js b/middleware.js
index b4fd759d..4840ab97 100644
--- a/middleware.js
+++ b/middleware.js
@@ -28,8 +28,7 @@ export function middleware (request) {
     "img-src 'self' a.stacker.news m.stacker.news https: data: blob:",
     // Using nonces and strict-dynamic deploys a strict CSP.
     // see https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#strict-policy.
-    // Old browsers will ignore nonce and strict-dynamic
-    // and fallback to host matching, unsafe-inline and unsafe-eval (no protection against XSS)
+    // Old browsers will ignore nonce and strict-dynamic and fallback to host-based matching and unsafe-inline
     process.env.NODE_ENV === 'production'
       ? `script-src 'self' 'unsafe-inline' 'nonce-${nonce}' 'strict-dynamic' https:`
       // unsafe-eval is required during development due to react-refresh.js