fix(proxy): omit CSP report only header

Since Cypress omits the blocking CSP header, it should also omit the report-only CSP header. This fixes a lot of `unsafe-inline` script-src warnings that I have seen when running cypress.
cypress-io · Jul 9, 2020 · 94fc5ed · 94fc5ed
1 parent 4b4628e
commit 94fc5ed
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/packages/proxy/lib/http/response-middleware.ts b/packages/proxy/lib/http/response-middleware.ts
@@ -272,6 +272,7 @@ const OmitProblematicHeaders: ResponseMiddleware = function () {
     'x-frame-options',
     'content-length',
     'content-security-policy',
+    'content-security-policy-report-only',
     'connection',
   ])
 

diff --git a/packages/server/test/integration/http_requests_spec.js b/packages/server/test/integration/http_requests_spec.js
@@ -2072,6 +2072,27 @@ describe('Routes', () => {
         })
       })
 
+      it('omits content-security-policy-report-only', function () {
+        nock(this.server._remoteOrigin)
+          .get('/bar')
+          .reply(200, 'OK', {
+            'Content-Type': 'text/html',
+            'content-security-policy-report-only': 'foobar;',
+          })
+
+        return this.rp({
+          url: 'http://localhost:8080/bar',
+          headers: {
+            'Cookie': '__cypress.initial=false',
+          },
+        })
+          .then((res) => {
+            expect(res.statusCode).to.eq(200)
+
+            expect(res.headers).not.to.have.property('content-security-policy-report-only')
+          })
+      })
+
       it('omits document-domain from Feature-Policy header', function () {
         nock(this.server._remoteOrigin)
         .get('/bar')