Disable CSP

2024-11-21 15:53:13 +01:00 · 2024-11-18 12:57:12 +01:00 · 2024-11-18 12:57:12 +01:00 · 9e6086984f
commit 9e6086984f
parent 3d7ba56d73
5 changed files with 10 additions and 10 deletions
--- a/.env.example
+++ b/.env.example
@ -279,7 +279,7 @@ PROXY_FOR_OUTGOING_REQUESTS=null
 # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
 # an attacker is able to inject malicious code into the web app

-CONTENT_SECURITY_POLICY=true
+CONTENT_SECURITY_POLICY=false


 # Leave the following configuration vars as is.
--- a/2
+++ b/2
@ -242,7 +242,7 @@ ENV \
    # CSP helps to prevent or minimize the risk of certain types of security threats.
    # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
    # an attacker is able to inject malicious code into the web app
-    CONTENT_SECURITY_POLICY=true \
+    CONTENT_SECURITY_POLICY=false \
    # Leave the following configuration vars as is.
    # Unless you like to tinker and know what you're doing.
    BROADCAST_DRIVER=log \
--- a/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
+++ b/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
@ -16,13 +16,13 @@ class AddContentSecurityPolicyHeaders
     */
    public function handle(Request $request, Closure $next) : Response
    {
-        if (config('2fauth.config.contentSecurityPolicy')) {
-            Vite::useCspNonce();
+        // if (config('2fauth.config.contentSecurityPolicy')) {
+        //     Vite::useCspNonce();

-            return $next($request)->withHeaders([
-                'Content-Security-Policy' => "script-src 'nonce-" . Vite::cspNonce() . "';style-src 'self' 'unsafe-inline';connect-src 'self';img-src 'self' data:;object-src 'none';",
-            ]);
-        }
+        //     return $next($request)->withHeaders([
+        //         'Content-Security-Policy' => "script-src 'nonce-" . Vite::cspNonce() . "';style-src 'self' 'unsafe-inline';connect-src 'self';img-src 'self' data:;object-src 'none';",
+        //     ]);
+        // }

        return $next($request);
    }
--- a/config/2fauth.php
+++ b/config/2fauth.php
@ -31,7 +31,7 @@
        'proxyLogoutUrl' => env('PROXY_LOGOUT_URL', null),
        'appSubdirectory' => env('APP_SUBDIRECTORY', ''),
        'authLogRetentionTime' => envUnlessEmpty('AUTHENTICATION_LOG_RETENTION', 365),
-        'contentSecurityPolicy' => envUnlessEmpty('CONTENT_SECURITY_POLICY', true),
+        'contentSecurityPolicy' => envUnlessEmpty('CONTENT_SECURITY_POLICY', false),
    ],

    /*
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@ -139,7 +139,7 @@ services:
      # CSP helps to prevent or minimize the risk of certain types of security threats.
      # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
      # an attacker is able to inject malicious code into the web app
-      - CONTENT_SECURITY_POLICY=true
+      - CONTENT_SECURITY_POLICY=false
      # Leave the following configuration vars as is.
      # Unless you like to tinker and know what you're doing.
      - BROADCAST_DRIVER=log