Merge pull request #156 from terrateamio/152-fix-inline-script-to-use…

…-nonce #152 FIX Use nonce for inline scripts
terrateamio · Dec 12, 2024 · 1537191 · 1537191
2 parents 38e519b + c8814f9
commit 1537191
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/code/src/terrat_ui_site/index.html.tmpl b/code/src/terrat_ui_site/index.html.tmpl
@@ -6,7 +6,7 @@ set -o pipefail
 
 if [[ "${TERRAT_UI_ANALYTICS:=false}" != "false" ]]; then
     POSTHOG_ANALYTICS="$(cat <<EOF
-  <script>
+  <script nonce="NGINX_CSP_NONCE">
     !function(t,e){var o,n,p,r;e.__SV||(window.posthog=e,e._i=[],e.init=function(i,s,a){function g(t,e){var o=e.split(".");2==o.length&&(t=t[o[0]],e=o[1]),t[e]=function(){t.push([e].concat(Array.prototype.slice.call(arguments,0)))}}(p=t.createElement("script")).type="text/javascript",p.async=!0,p.src=s.api_host.replace(".i.posthog.com","-assets.i.posthog.com")+"/static/array.js",(r=t.getElementsByTagName("script")[0]).parentNode.insertBefore(p,r);var u=e;for(void 0!==a?u=e[a]=[]:a="posthog",u.people=u.people||[],u.toString=function(t){var e="posthog";return"posthog"!==a&&(e+="."+a),t||(e+=" (stub)"),e},u.people.toString=function(){return u.toString(1)+".people (stub)"},o="init push capture register register_once register_for_session unregister unregister_for_session getFeatureFlag getFeatureFlagPayload isFeatureEnabled reloadFeatureFlags updateEarlyAccessFeatureEnrollment getEarlyAccessFeatures on onFeatureFlags onSessionId getSurveys getActiveMatchingSurveys renderSurvey canRenderSurvey getNextSurveyStep identify setPersonProperties group resetGroups setPersonPropertiesForFlags resetGroupPropertiesForFlags setGroupPropertiesForFlags reset get_distinct_id getGroups get_session_id get_session_replay_url alias set_config startSessionRecording stopSessionRecording sessionRecordingStarted loadToolbar get_property getSessionProperty createPersonProfile opt_in_capturing opt_out_capturing has_opted_in_capturing clear_opt_in_out_capturing debug".split(" "),n=0;n<o.length;n++)g(u,o[n]);e._i.push([i,s,a])},e.__SV=1)}(document,window.posthog||[]); posthog.init("${TERRAT_UI_ANALYTICS}",{api_host:"https://eu.i.posthog.com",persistence:"memory",person_profiles:"identified_only"});
   </script>
 EOF
@@ -36,7 +36,7 @@ cat << EOF
     <script src="/assets/terrat_ui_js.js"></script>
     <script src="/assets/highlight.11.10.0.min.js"></script>
     <script src="/assets/terraform.2024-11-01-eb1b966.js"></script>
-    <script type="text/javascript">
+    <script nonce="NGINX_CSP_NONCE" type="text/javascript">
         hljs.registerLanguage('terraform', window.hljsDefineTerraform);
     </script>
 

diff --git a/docker/terrat/nginx.conf.template b/docker/terrat/nginx.conf.template
@@ -41,10 +41,16 @@ http {
         server_tokens off;
 
         location / {
+
+            set $cspNonce '$request_id';
+            sub_filter_once off;
+            sub_filter_types *;
+            sub_filter 'NGINX_CSP_NONCE' '$cspNonce';
+
             root /usr/local/share/terrat/ui/assets/;
             index index.html index.htm;
             try_files $uri $uri/ /index.html;
-            add_header Content-Security-Policy "default-src 'self' https://eu.posthog.com; img-src 'self' https://avatars.githubusercontent.com; script-src 'self' 'sha256-gTcMaDcBRHtG+Nc7vtSddc6fnAkWc7NY7dgq0ADsLrY=' https://eu.posthog.com https://eu-assets.i.posthog.com https://eu.i.posthog.com; style-src 'self'; object-src 'none'; connect-src 'self' https://eu.i.posthog.com https://eu.posthog.com https://eu-assets.i.posthog.com";
+            add_header Content-Security-Policy "default-src 'self' https://*.posthog.com; img-src 'self' https://avatars.githubusercontent.com; script-src 'self' 'nonce-$cspNonce' https://*.posthog.com; style-src 'self'; object-src 'none'; connect-src 'self' https://*.posthog.com";
         }
 
         location /assets {