From 741d9eafde6a99d84b36d79df0ee4d024f90fd03 Mon Sep 17 00:00:00 2001
From: Ilya Hancharyk <Ilya_Hancharyk@epam.com>
Date: Mon, 27 Jan 2025 15:03:18 +0100
Subject: [PATCH] EPMRPP-98929 || Update CSP to allow executing inline scripts
 for dev purposes

---
 nginx.conf | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/nginx.conf b/nginx.conf
index c6c9d0cd1d..d4da09bd3f 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -37,9 +37,9 @@ http {
             add_header X-Frame-Options "DENY";
             add_header X-Content-Type-Options "nosniff";
             add_header X-XSS-Protection "1; mode=block";
-            # The CSP need to be updated before release ("localhost:*" should be removed in favor of own Service UI files)
-            # Update other `location`s accordingly
-            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
+            # TODO: The CSP need to be updated before release ('localhost:*', 'unsafe-eval'  should be removed in favor of own Service UI files)
+            # TODO: Update other `location`s accordingly
+            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'unsafe-eval' 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
             try_files $uri /index.html;
         }
 
@@ -48,20 +48,20 @@ http {
             add_header X-Frame-Options "DENY";
             add_header X-Content-Type-Options "nosniff";
             add_header X-XSS-Protection "1; mode=block";
-            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
+            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'unsafe-eval' 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
             try_files $uri /index.html;
         }
 
         # build info
         location /info {
             add_header Cache-Control "public, must-revalidate";
-            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
+            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'unsafe-eval' 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
             try_files $uri /buildInfo.json 404;
         }
 
         location /ui/info {
             add_header Cache-Control "public, must-revalidate";
-            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
+            add_header Content-Security-Policy "object-src 'none'; default-src 'self' data: *.uservoice.com; script-src localhost:* 'unsafe-eval' 'self' 'sha256-3q+Q3HGgk9UiNUdwzAAIEnZ+yR0E/2GaklnqnIzhtwE=' status.reportportal.io www.google-analytics.com www.googletagmanager.com stats.g.doubleclick.net *.saucelabs.com *.epam.com *.uservoice.com *.rawgit.com https://*.clarity.ms https://c.bing.com; worker-src 'self' blob:; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com *.rawgit.com; style-src-elem 'self' data: 'unsafe-inline' *.googleapis.com *.rawgit.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com; media-src 'self' *.saucelabs.com *.browserstack.com blob:; img-src * 'self' data: blob: http: https: www.google-analytics.com; connect-src localhost:* 'self' *.google-analytics.com *.analytics.google.com https://stats.g.doubleclick.net https://*.clarity.ms https://c.bing.com; frame-src 'self' https://webto.salesforce.com";
             try_files $uri /buildInfo.json 404;
         }