@elliemae/pui-cli 8.41.1 → 8.41.2

package/dist/cjs/server/csp.js

@@ -66,22 +66,30 @@ const sendFileWithCSPNonce = ({
 };
 const getScriptSrc = () => {
   const source = (req, res) => `'nonce-${res.locals.cspNonce}'`;
-  const scriptSrc = [source, "strict-dynamic"];
+  const scriptSrc = [source, "'strict-dynamic'"];
   return true ? scriptSrc.concat(["'unsafe-eval'"]) : scriptSrc;
 };
+const getStyleSrc = () => {
+  const source = (req, res) => `'nonce-${res.locals.cspNonce}'`;
+  const scriptSrc = [source, "'strict-dynamic'"];
+  return true ? scriptSrc.concat(["'unsafe-inline'"]) : scriptSrc;
+};
 const csp = (app) => {
   app.use((req, res, next) => {
-    res.locals.cspNonce = import_crypto.default.randomBytes(32).toString("hex");
+    res.locals.cspNonce = import_crypto.default.randomBytes(32).toString("base64");
     next();
   });
   app.use(
     (0, import_helmet.default)({
       contentSecurityPolicy: {
+        useDefaults: false,
         directives: {
+          defaultSrc: import_helmet.default.contentSecurityPolicy.dangerouslyDisableDefaultSrc,
           baseUri: ["'none'"],
           frameAncestors: sources,
           objectSrc: ["'none'"],
           scriptSrc: getScriptSrc(),
+          styleSrc: getStyleSrc(),
           upgradeInsecureRequests: [],
           reportTo: CSP_REPORT_URI
         },

package/dist/cjs/webpack/webpack.prod.babel.js

@@ -115,7 +115,7 @@ const {
   basePath
 } = (0, import_helpers.getPaths)();
 const htmlWebpackPlugin = new import_html_webpack_plugin.default({
-  inject: !(0, import_helpers.isAppLoaderEnabled)(),
+  inject: !(0, import_helpers.isAppLoaderEnabled)() && process.env.CSP !== "true",
   template: !(0, import_helpers.isAppLoaderEnabled)() ? "app/index.html" : "app/index-app-loader.html",
   minify: {
     removeComments: true,

package/dist/esm/server/csp.js

@@ -32,22 +32,30 @@ const sendFileWithCSPNonce = ({
 };
 const getScriptSrc = () => {
   const source = (req, res) => `'nonce-${res.locals.cspNonce}'`;
-  const scriptSrc = [source, "strict-dynamic"];
+  const scriptSrc = [source, "'strict-dynamic'"];
   return true ? scriptSrc.concat(["'unsafe-eval'"]) : scriptSrc;
 };
+const getStyleSrc = () => {
+  const source = (req, res) => `'nonce-${res.locals.cspNonce}'`;
+  const scriptSrc = [source, "'strict-dynamic'"];
+  return true ? scriptSrc.concat(["'unsafe-inline'"]) : scriptSrc;
+};
 const csp = (app) => {
   app.use((req, res, next) => {
-    res.locals.cspNonce = crypto.randomBytes(32).toString("hex");
+    res.locals.cspNonce = crypto.randomBytes(32).toString("base64");
     next();
   });
   app.use(
     helmet({
       contentSecurityPolicy: {
+        useDefaults: false,
         directives: {
+          defaultSrc: helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc,
           baseUri: ["'none'"],
           frameAncestors: sources,
           objectSrc: ["'none'"],
           scriptSrc: getScriptSrc(),
+          styleSrc: getStyleSrc(),
           upgradeInsecureRequests: [],
           reportTo: CSP_REPORT_URI
         },

package/dist/esm/webpack/webpack.prod.babel.js

@@ -87,7 +87,7 @@ const {
   basePath
 } = getPaths();
 const htmlWebpackPlugin = new HtmlWebpackPlugin({
-  inject: !isAppLoaderEnabled(),
+  inject: !isAppLoaderEnabled() && process.env.CSP !== "true",
   template: !isAppLoaderEnabled() ? "app/index.html" : "app/index-app-loader.html",
   minify: {
     removeComments: true,