From f9d254b3e18ed97ddd0b6e8c23e94ca159a01829 Mon Sep 17 00:00:00 2001 From: Ry0taK <49341894+Ry0taK@users.noreply.github.com> Date: Sat, 11 Feb 2023 12:50:03 +0000 Subject: [PATCH] =?UTF-8?q?unsafe-eval=E3=82=92=E5=89=8A=E9=99=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/backend/src/server/web/ClientServerService.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/backend/src/server/web/ClientServerService.ts b/packages/backend/src/server/web/ClientServerService.ts index a83137f74..5bc5e1889 100644 --- a/packages/backend/src/server/web/ClientServerService.ts +++ b/packages/backend/src/server/web/ClientServerService.ts @@ -176,7 +176,7 @@ export class ClientServerService { // XSSが存在した場合に影響を軽減する // (script-srcにunsafe-inline等を追加すると意味が無くなるので注意) const csp = this.config.contentSecurityPolicy - ?? 'script-src \'self\' \'unsafe-eval\' ' + + ?? 'script-src \'self\' ' + 'https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; ' + 'base-uri \'self\'; object-src \'self\'; report-uri /csp-error'; reply.header('Content-Security-Policy-Report-Only', csp);