ekzyis
/
stacker.news
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix comment (unsafe-eval isn't used in prod) (#825)

This commit is contained in:
ekzyis 2024-02-14 15:45:00 +01:00 committed by GitHub
parent 04991b4ddf
commit 30bc3b612a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
middleware.js
View File

@ -28,8 +28,7 @@ export function middleware (request) {
"img-src 'self' a.stacker.news m.stacker.news https: data: blob:",
// Using nonces and strict-dynamic deploys a strict CSP.
// see https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#strict-policy.
// Old browsers will ignore nonce and strict-dynamic
// and fallback to host matching, unsafe-inline and unsafe-eval (no protection against XSS)
// Old browsers will ignore nonce and strict-dynamic and fallback to host-based matching and unsafe-inline
process.env.NODE_ENV === 'production'
? `script-src 'self' 'unsafe-inline' 'nonce-${nonce}' 'strict-dynamic' https:`
// unsafe-eval is required during development due to react-refresh.js