Merge pull request #6586 from topcoder-platform/veterans-http-headers

luizrrodrigues · web-flow · commit f4e540fce77c · 2022-07-27T03:22:31.000-03:00
remove unsafe-inline csp for veterans
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -357,8 +357,8 @@ workflows:
           context : org-global
           filters:
             branches:
-              only:
-                - tco23
+              only:                
+                - free
       # This is alternate dev env for parallel testing
       - "build-qa":
           context : org-global
diff --git a/src/server/index.js b/src/server/index.js
@@ -138,10 +138,11 @@ async function onExpressJsSetup(server) {
     res.header('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
 
     if (req.url.startsWith('/__community__/veterans') || req.hostname === 'veterans.topcoder.com' || req.url.startsWith('/__community__/tco') || tcoPattern.test(req.hostname)) {
+      res.header('Cache-Control', 'no-cache');
       res.header(
         'Content-Security-Policy',
         "default-src 'self';"
-        + " script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval'"
+        + " script-src 'report-sample' 'self'"
           + ` ${config.CDN.PUBLIC}`
           + ' http://www.google-analytics.com'
           + ' https://www.google-analytics.com'
