From 3b9c1b4554373c2adef487cf90374b1388664f22 Mon Sep 17 00:00:00 2001 From: Guilherme Gazzo Date: Tue, 2 Apr 2024 13:17:53 -0300 Subject: [PATCH] fix: http request fails right after `setInlineScriptsAllowed` --- apps/meteor/app/cors/server/cors.ts | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/apps/meteor/app/cors/server/cors.ts b/apps/meteor/app/cors/server/cors.ts index 2a862635e1cd..7857ec89bec2 100644 --- a/apps/meteor/app/cors/server/cors.ts +++ b/apps/meteor/app/cors/server/cors.ts @@ -16,14 +16,28 @@ type NextFunction = (err?: any) => void; const logger = new Logger('CORS'); +let templatePromise: Promise | void; + +declare module 'meteor/webapp' { + // eslint-disable-next-line @typescript-eslint/no-namespace + namespace WebApp { + function setInlineScriptsAllowed(allowed: boolean): Promise; + } +} + settings.watch( 'Enable_CSP', - Meteor.bindEnvironment((enabled) => { - WebAppInternals.setInlineScriptsAllowed(!enabled); + Meteor.bindEnvironment(async (enabled) => { + templatePromise = WebAppInternals.setInlineScriptsAllowed(!enabled); }), ); -WebApp.rawConnectHandlers.use((_req: http.IncomingMessage, res: http.ServerResponse, next: NextFunction) => { +WebApp.rawConnectHandlers.use(async (_req: http.IncomingMessage, res: http.ServerResponse, next: NextFunction) => { + if (templatePromise) { + await templatePromise; + templatePromise = void 0; + } + // XSS Protection for old browsers (IE) res.setHeader('X-XSS-Protection', '1');