disable draco, to not have to enable eval in CSP

chrisweb · Sep 30, 2024 · 7d23360 · 7d23360
1 parent 9533a72
commit 7d23360
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/components/neonRoad/Palm.tsx b/components/neonRoad/Palm.tsx
@@ -31,7 +31,11 @@ const PALM_GLTF_PATH = '/assets/3d_models/palm/palm.gltf'
 // code for the gltf version
 const PalmModel = forwardRef<Group, GroupProps>((props, ref) => {
 
-    const { nodes, materials } = useGLTF(PALM_GLTF_PATH) as GLTFResult
+    // second parameter is false to disable draco (wasm decompression tool)
+    // modern browsers support the CSP directive 'wasm-unsafe-eval'
+    // but older browsers require the 'unsafe-eval' directive
+    // when draco is disabled there is no need for wasm, so also no need for 'unsafe-eval'
+    const { nodes, materials } = useGLTF(PALM_GLTF_PATH, false) as GLTFResult
 
     return (
         <group name={'PalmModel'} {...props} ref={ref}>

diff --git a/next.config.mjs b/next.config.mjs
@@ -304,6 +304,9 @@ const securityHeadersConfig = (phase) => {
         // unfortunatly because of fontawesome this is not possible (yet)
         // https://github.com/FortAwesome/Font-Awesome/issues/20001
 
+        // removed 'wasm-unsafe-eval' from script-src
+        // draco compression needed that directive, but it is now disabled (in Palm.tsx)
+
         // when environment is preview enable unsafe-inline scripts for vercel preview feedback/comments feature
         // and whitelist vercel's domains based on:
         // https://vercel.com/docs/workflow-collaboration/comments/specialized-usage#using-a-content-security-policy
@@ -314,7 +317,7 @@ const securityHeadersConfig = (phase) => {
                 ${defaultCSPDirectives}
                 font-src 'self' https://vercel.live/ https://assets.vercel.com https://fonts.gstatic.com;
                 style-src 'self' 'unsafe-inline' https://vercel.live/fonts;
-                script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' https://vercel.live/;
+                script-src 'self' 'unsafe-inline' https://vercel.live/;
                 connect-src 'self' https://vercel.live/ https://vitals.vercel-insights.com https://*.pusher.com/ wss://*.pusher.com/ ${reportingDomainWildcard};
                 img-src 'self' data: https://vercel.com/ https://vercel.live/;
                 frame-src 'self' https://vercel.live/;
@@ -329,7 +332,7 @@ const securityHeadersConfig = (phase) => {
                 ${defaultCSPDirectives}
                 font-src 'self';
                 style-src 'self' 'unsafe-inline';
-                script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval';
+                script-src 'self' 'unsafe-inline';
                 connect-src 'self' https://vitals.vercel-insights.com ${reportingDomainWildcard};
                 img-src 'self' data:;
                 frame-src 'none';