From 9e6086984f9edfbde91007c713f5f61840a04207 Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Mon, 18 Nov 2024 12:57:12 +0100
Subject: [PATCH] Disable CSP

---
 .env.example                                         |  2 +-
 Dockerfile                                           |  2 +-
 .../Middleware/AddContentSecurityPolicyHeaders.php   | 12 ++++++------
 config/2fauth.php                                    |  2 +-
 docker/docker-compose.yml                            |  2 +-
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.env.example b/.env.example
index 3affa391..b9a56ada 100644
--- a/.env.example
+++ b/.env.example
@@ -279,7 +279,7 @@ PROXY_FOR_OUTGOING_REQUESTS=null
 # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
 # an attacker is able to inject malicious code into the web app
 
-CONTENT_SECURITY_POLICY=true
+CONTENT_SECURITY_POLICY=false
 
 
 # Leave the following configuration vars as is.
diff --git a/Dockerfile b/Dockerfile
index 7619506d..77214c26 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -242,7 +242,7 @@ ENV \
     # CSP helps to prevent or minimize the risk of certain types of security threats.
     # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
     # an attacker is able to inject malicious code into the web app
-    CONTENT_SECURITY_POLICY=true \
+    CONTENT_SECURITY_POLICY=false \
     # Leave the following configuration vars as is.
     # Unless you like to tinker and know what you're doing.
     BROADCAST_DRIVER=log \
diff --git a/app/Http/Middleware/AddContentSecurityPolicyHeaders.php b/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
index bff1d5a9..0fa54d74 100644
--- a/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
+++ b/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
@@ -16,13 +16,13 @@ class AddContentSecurityPolicyHeaders
      */
     public function handle(Request $request, Closure $next) : Response
     {
-        if (config('2fauth.config.contentSecurityPolicy')) {
-            Vite::useCspNonce();
+        // if (config('2fauth.config.contentSecurityPolicy')) {
+        //     Vite::useCspNonce();
 
-            return $next($request)->withHeaders([
-                'Content-Security-Policy' => "script-src 'nonce-" . Vite::cspNonce() . "';style-src 'self' 'unsafe-inline';connect-src 'self';img-src 'self' data:;object-src 'none';",
-            ]);
-        }
+        //     return $next($request)->withHeaders([
+        //         'Content-Security-Policy' => "script-src 'nonce-" . Vite::cspNonce() . "';style-src 'self' 'unsafe-inline';connect-src 'self';img-src 'self' data:;object-src 'none';",
+        //     ]);
+        // }
 
         return $next($request);
     }
diff --git a/config/2fauth.php b/config/2fauth.php
index c8d34fc4..8d585bc0 100644
--- a/config/2fauth.php
+++ b/config/2fauth.php
@@ -31,7 +31,7 @@
         'proxyLogoutUrl' => env('PROXY_LOGOUT_URL', null),
         'appSubdirectory' => env('APP_SUBDIRECTORY', ''),
         'authLogRetentionTime' => envUnlessEmpty('AUTHENTICATION_LOG_RETENTION', 365),
-        'contentSecurityPolicy' => envUnlessEmpty('CONTENT_SECURITY_POLICY', true),
+        'contentSecurityPolicy' => envUnlessEmpty('CONTENT_SECURITY_POLICY', false),
     ],
 
     /*
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 5378fbba..d6a4e33a 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -139,7 +139,7 @@ services:
       # CSP helps to prevent or minimize the risk of certain types of security threats.
       # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
       # an attacker is able to inject malicious code into the web app
-      - CONTENT_SECURITY_POLICY=true
+      - CONTENT_SECURITY_POLICY=false
       # Leave the following configuration vars as is.
       # Unless you like to tinker and know what you're doing.
       - BROADCAST_DRIVER=log