fix: update csp default handling

blinkk · Mar 14, 2024 · e087f30 · e087f30
1 parent f3e63b3
commit e087f30
Showing 1 changed file with 8 additions and 10 deletions.
diff --git a/packages/root/src/render/render.tsx b/packages/root/src/render/render.tsx
@@ -533,11 +533,18 @@ export class Renderer {
     const securityConfig: Partial<RootSecurityConfig> = {};
 
     if (isTrueOrUndefined(userConfig.contentSecurityPolicy)) {
+      // CSP default values from:
+      // https://csp.withgoogle.com/docs/strict-csp.html
       securityConfig.contentSecurityPolicy = {
         directives: {
           'base-uri': ["'none'"],
           'object-src': ["'none'"],
-          'script-src': ["'self'"],
+          // NOTE: nonce is automatically added to this list.
+          'script-src': [
+            "'unsafe-inline'",
+            "'unsafe-eval'",
+            "'strict-dynamic' https: http:",
+          ],
         },
         reportOnly: true,
       };
@@ -580,17 +587,8 @@ export class Renderer {
     if (typeof contentSecurityPolicy === 'object') {
       const directives = contentSecurityPolicy.directives || {};
       if (options.nonce) {
-        // CSP default values from:
-        // https://csp.withgoogle.com/docs/strict-csp.html
-        if (!directives['object-src']) {
-          directives['object-src'] = ["'none'"];
-        }
-        if (!directives['base-uri']) {
-          directives['base-uri'] = ["'none'"];
-        }
         if (!directives['script-src']) {
           directives['script-src'] = [
-            "'self'",
             "'unsafe-inline'",
             "'unsafe-eval'",
             "'strict-dynamic' https: http:",