add a static nonce

this is kinda bad... but it should at least help us get away from blanket allowing ANY unsafe inline
mastercomfig · Jul 11, 2024 · 16cc738 · 16cc738
1 parent b28d45a
commit 16cc738
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/astro.config.mts b/astro.config.mts
@@ -5,6 +5,7 @@ import sentry from "@sentry/astro";
 import AstroPWA from "@vite-pwa/astro";
 import type { AstroIntegration } from "astro";
 import { defineConfig } from "astro/config";
+import crypto from "node:crypto";
 import fs from "node:fs";
 import { resolve } from "node:path";
 
@@ -86,6 +87,9 @@ const astroCSPHashExporter: AstroIntegration = {
         "{{SCRIPT_SRC_HASHES}}",
         scriptSrcHashes,
       );
+      // Not ideal, but protects against non-targeted attacks. We don't really have options for non-dynamic content.
+      const scriptSrcNonce = crypto.randomBytes(16).toString("base64");
+      headersFile = headersFile.replace("{{SCRIPT_SRC_NONCE}}", scriptSrcNonce);
       const styleSrcElementHashes = `'${sriHashes.inlineStyleHashes.join("' '")}'`;
       headersFile = headersFile.replace(
         "{{STYLE_SRC_ELEM_HASHES}}",

diff --git a/public/_headers b/public/_headers
@@ -2,7 +2,7 @@
   ! Access-Control-Allow-Origin
   Permissions-Policy: document-domain=()
   Document-Policy: js-profiling
-  Content-Security-Policy: upgrade-insecure-requests; default-src 'none'; script-src 'unsafe-inline' 'self' blob: https://static.cloudflareinsights.com; frame-src https://www.youtube-nocookie.com; img-src data: https:; connect-src https:; media-src blob: https:; style-src 'self'; style-src-elem {{STYLE_SRC_ELEM_HASHES}} 'self'; style-src-attr 'unsafe-inline'; manifest-src 'self'; font-src 'self'; worker-src blob: 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'none'; sandbox allow-downloads allow-forms allow-modals allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts;
+  Content-Security-Policy: upgrade-insecure-requests; default-src 'none'; script-src {{SCRIPT_SRC_NONCE}} {{SCRIPT_SRC_HASHES}} 'self' blob: https://static.cloudflareinsights.com; frame-src https://www.youtube-nocookie.com; img-src data: https:; connect-src https:; media-src blob: https:; style-src 'self'; style-src-elem {{STYLE_SRC_ELEM_HASHES}} 'self'; style-src-attr 'unsafe-inline'; manifest-src 'self'; font-src 'self'; worker-src blob: 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'none'; sandbox allow-downloads allow-forms allow-modals allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts;
   Cross-Origin-Resource-Policy: same-origin
   Cross-Origin-Opener-Policy: same-origin
   Cross-Origin-Embedder-Policy: require-corp