Merge pull request #6585 from nursoltan-s/veterans-http-headers

luizrrodrigues · web-flow · commit 7cc8a5982177 · 2022-07-18T19:43:19.000-03:00
remove unsafe-inline csp for veterans
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -356,8 +356,8 @@ workflows:
           context : org-global
           filters:
             branches:
-              only:
-                - free
+              only:                
+                - veterans-http-headers
       # This is alternate dev env for parallel testing
       - "build-qa":
           context : org-global
diff --git a/src/server/index.js b/src/server/index.js
@@ -141,7 +141,7 @@ async function onExpressJsSetup(server) {
       res.header(
         'Content-Security-Policy',
         "default-src 'self';"
-        + " script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval'"
+        + " script-src 'report-sample' 'self'"
           + ` ${config.CDN.PUBLIC}`
           + ' http://www.google-analytics.com'
           + ' https://www.google-analytics.com'
