Disable CSP

Bubka · Nov 18, 2024 · 9e60869 · 9e60869
1 parent 3d7ba56
commit 9e60869
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 10 deletions.
diff --git a/.env.example b/.env.example
@@ -279,7 +279,7 @@ PROXY_FOR_OUTGOING_REQUESTS=null
 # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
 # an attacker is able to inject malicious code into the web app
 
-CONTENT_SECURITY_POLICY=true
+CONTENT_SECURITY_POLICY=false
 
 
 # Leave the following configuration vars as is.

diff --git a/Dockerfile b/Dockerfile
@@ -242,7 +242,7 @@ ENV \
     # CSP helps to prevent or minimize the risk of certain types of security threats.
     # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
     # an attacker is able to inject malicious code into the web app
-    CONTENT_SECURITY_POLICY=true \
+    CONTENT_SECURITY_POLICY=false \
     # Leave the following configuration vars as is.
     # Unless you like to tinker and know what you're doing.
     BROADCAST_DRIVER=log \

diff --git a/app/Http/Middleware/AddContentSecurityPolicyHeaders.php b/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
@@ -16,13 +16,13 @@ class AddContentSecurityPolicyHeaders
      */
     public function handle(Request $request, Closure $next) : Response
     {
-        if (config('2fauth.config.contentSecurityPolicy')) {
-            Vite::useCspNonce();
+        // if (config('2fauth.config.contentSecurityPolicy')) {
+        //     Vite::useCspNonce();
 
-            return $next($request)->withHeaders([
-                'Content-Security-Policy' => "script-src 'nonce-" . Vite::cspNonce() . "';style-src 'self' 'unsafe-inline';connect-src 'self';img-src 'self' data:;object-src 'none';",
-            ]);
-        }
+        //     return $next($request)->withHeaders([
+        //         'Content-Security-Policy' => "script-src 'nonce-" . Vite::cspNonce() . "';style-src 'self' 'unsafe-inline';connect-src 'self';img-src 'self' data:;object-src 'none';",
+        //     ]);
+        // }
 
         return $next($request);
     }

diff --git a/config/2fauth.php b/config/2fauth.php
@@ -31,7 +31,7 @@
         'proxyLogoutUrl' => env('PROXY_LOGOUT_URL', null),
         'appSubdirectory' => env('APP_SUBDIRECTORY', ''),
         'authLogRetentionTime' => envUnlessEmpty('AUTHENTICATION_LOG_RETENTION', 365),
-        'contentSecurityPolicy' => envUnlessEmpty('CONTENT_SECURITY_POLICY', true),
+        'contentSecurityPolicy' => envUnlessEmpty('CONTENT_SECURITY_POLICY', false),
     ],
 
     /*

diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -139,7 +139,7 @@ services:
       # CSP helps to prevent or minimize the risk of certain types of security threats.
       # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
       # an attacker is able to inject malicious code into the web app
-      - CONTENT_SECURITY_POLICY=true
+      - CONTENT_SECURITY_POLICY=false
       # Leave the following configuration vars as is.
       # Unless you like to tinker and know what you're doing.
       - BROADCAST_DRIVER=log