EPMRPP-98929 || Update CSP to allow executing inline scripts for dev …

…purposes
reportportal · Jan 27, 2025 · 741d9ea · 741d9ea
1 parent cd78978
commit 741d9ea
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/nginx.conf b/nginx.conf
@@ -37,9 +37,9 @@ http {
             add_header X-Frame-Options "DENY";
             add_header X-Content-Type-Options "nosniff";
             add_header X-XSS-Protection "1; mode=block";
-            # The CSP need to be updated before release ("localhost:*" should be removed in favor of own Service UI files)
-            # Update other `location`s accordingly
-            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
+            # TODO: The CSP need to be updated before release ('localhost:*', 'unsafe-eval'  should be removed in favor of own Service UI files)
+            # TODO: Update other `location`s accordingly
+            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'unsafe-eval' 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
             try_files $uri /index.html;
         }
 
@@ -48,20 +48,20 @@ http {
             add_header X-Frame-Options "DENY";
             add_header X-Content-Type-Options "nosniff";
             add_header X-XSS-Protection "1; mode=block";
-            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
+            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'unsafe-eval' 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
             try_files $uri /index.html;
         }
 
         # build info
         location /info {
             add_header Cache-Control "public, must-revalidate";
-            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
+            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'unsafe-eval' 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
             try_files $uri /buildInfo.json 404;
         }
 
         location /ui/info {
             add_header Cache-Control "public, must-revalidate";
-            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
+            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'unsafe-eval' 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
             try_files $uri /buildInfo.json 404;
         }