From fd695c7765e76cbc1190c8a3fe1fabdd162b6ee7 Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Sun, 17 Nov 2024 22:57:15 +0100
Subject: [PATCH] Update CSP

---
 Dockerfile                                              | 5 +++++
 app/Http/Middleware/AddContentSecurityPolicyHeaders.php | 2 +-
 docker/docker-compose.yml                               | 5 +++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index ad9333b30..7619506d3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -238,6 +238,11 @@ ENV \
     # You can provide a proxy URL that contains a scheme, username, and password.
     # For example, "http://username:password@192.168.16.1:10".
     PROXY_FOR_OUTGOING_REQUESTS=null \
+    # Set this to true to enable Content-Security-Policy (CSP).
+    # CSP helps to prevent or minimize the risk of certain types of security threats.
+    # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
+    # an attacker is able to inject malicious code into the web app
+    CONTENT_SECURITY_POLICY=true \
     # Leave the following configuration vars as is.
     # Unless you like to tinker and know what you're doing.
     BROADCAST_DRIVER=log \
diff --git a/app/Http/Middleware/AddContentSecurityPolicyHeaders.php b/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
index 022a1001e..bff1d5a92 100644
--- a/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
+++ b/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
@@ -20,7 +20,7 @@ public function handle(Request $request, Closure $next) : Response
             Vite::useCspNonce();
 
             return $next($request)->withHeaders([
-                'Content-Security-Policy' => "script-src 'nonce-" . Vite::cspNonce() . "';style-src 'self' 'unsafe-inline';connect-src 'self';img-src 'self' data:;object-src 'none';base-uri 'none';",
+                'Content-Security-Policy' => "script-src 'nonce-" . Vite::cspNonce() . "';style-src 'self' 'unsafe-inline';connect-src 'self';img-src 'self' data:;object-src 'none';",
             ]);
         }
 
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index add51ac24..5378fbba6 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -135,6 +135,11 @@ services:
       # You can provide a proxy URL that contains a scheme, username, and password.
       # For example, "http://username:password@192.168.16.1:10".
       - PROXY_FOR_OUTGOING_REQUESTS=null
+      # Set this to true to enable Content-Security-Policy (CSP).
+      # CSP helps to prevent or minimize the risk of certain types of security threats.
+      # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
+      # an attacker is able to inject malicious code into the web app
+      - CONTENT_SECURITY_POLICY=true
       # Leave the following configuration vars as is.
       # Unless you like to tinker and know what you're doing.
       - BROADCAST_DRIVER=log