Revert change to Content-Security-Policy: script-src header

b/c we're loading an image, not a script and this isn't needed for now
kiwitcms · Feb 3, 2025 · f08483c · f08483c
1 parent 29b358f
commit f08483c
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/etc/nginx.conf b/etc/nginx.conf
@@ -63,7 +63,7 @@ http {
     }
 
     # WARNING: make sure these match tcms.core.middleware.ExtraHeadersMiddleware
-    add_header Content-Security-Policy "script-src 'self' cdn.crowdin.com *.ethicalads.io plausible.io static.scarf.sh;";
+    add_header Content-Security-Policy "script-src 'self' cdn.crowdin.com *.ethicalads.io plausible.io;";
 
     server {
         listen       8080;

diff --git a/tcms/core/middleware.py b/tcms/core/middleware.py
@@ -29,7 +29,7 @@ class ExtraHeadersMiddleware(MiddlewareMixin):
     def process_response(self, request, response):
         if settings.DEBUG:
             response.headers["Content-Security-Policy"] = (
-                "script-src 'self' cdn.crowdin.com *.ethicalads.io plausible.io static.scarf.sh;"
+                "script-src 'self' cdn.crowdin.com *.ethicalads.io plausible.io;"
             )
 
             if request.path.find("/uploads/") > -1:

diff --git a/tests/test_http.sh b/tests/test_http.sh
@@ -93,8 +93,8 @@ _EOF_
     rlPhaseEnd
 
     rlPhaseStartTest "Should send Content-Security-Policy header"
-        rlRun -t -c "curl -k -D- $HTTPS 2>/dev/null | grep $'Content-Security-Policy: script-src \'self\' cdn.crowdin.com \*.ethicalads.io plausible.io static.scarf.sh;'"
-        rlRun -t -c "curl -k -D- $PROXY 2>/dev/null | grep $'Content-Security-Policy: script-src \'self\' cdn.crowdin.com \*.ethicalads.io plausible.io static.scarf.sh;'"
+        rlRun -t -c "curl -k -D- $HTTPS 2>/dev/null | grep $'Content-Security-Policy: script-src \'self\' cdn.crowdin.com \*.ethicalads.io plausible.io;'"
+        rlRun -t -c "curl -k -D- $PROXY 2>/dev/null | grep $'Content-Security-Policy: script-src \'self\' cdn.crowdin.com \*.ethicalads.io plausible.io;'"
     rlPhaseEnd
 
     rlPhaseStartTest "Should not execute inline JavaScript"