From 98a27caaa91a8b18b56b86f0334a0e19f17e2672 Mon Sep 17 00:00:00 2001 From: ekzyis Date: Fri, 3 May 2024 14:17:10 -0500 Subject: [PATCH] Allow http: and ws: in dev CSP (#1126) * Allow HTTP in dev build * Also allow ws:// --- lib/validate.js | 2 +- middleware.js | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/validate.js b/lib/validate.js index 440649b1..65ac914d 100644 --- a/lib/validate.js +++ b/lib/validate.js @@ -604,7 +604,7 @@ export const lnbitsSchema = object({ url: process.env.NODE_ENV === 'development' ? string() .or([string().matches(/^(http:\/\/)?localhost:\d+$/), string().url()], 'invalid url') - .required('required').trim().https() + .required('required').trim() : string().url().required('required').trim().https(), adminKey: string().length(32) }) diff --git a/middleware.js b/middleware.js index 88727d45..6698bcb0 100644 --- a/middleware.js +++ b/middleware.js @@ -19,12 +19,14 @@ export function middleware (request) { resp = referrerMiddleware(request) } + const isDev = process.env.NODE_ENV === 'development' + const nonce = Buffer.from(crypto.randomUUID()).toString('base64') // we want to load media from other localhost ports during development - const devSrc = process.env.NODE_ENV === 'development' ? ' localhost:*' : '' + const devSrc = isDev ? ' localhost:* http: ws:' : '' // unsafe-eval is required during development due to react-refresh.js // see https://github.com/vercel/next.js/issues/14221 - const devScriptSrc = process.env.NODE_ENV === 'development' ? " 'unsafe-eval'" : '' + const devScriptSrc = isDev ? " 'unsafe-eval'" : '' const cspHeader = [ // if something is not explicitly allowed, we don't allow it. @@ -47,7 +49,7 @@ export function middleware (request) { // blocks injection of tags "base-uri 'none'", // tell user agents to replace HTTP with HTTPS - 'upgrade-insecure-requests', + isDev ? '' : 'upgrade-insecure-requests', // prevents any domain from framing the content (defense against clickjacking attacks) "frame-ancestors 'none'" ].join('; ')