Fix CSP setting to cover wider cases

whitphx · Dec 3, 2022 · abc5acc · abc5acc
1 parent 7b27991
commit abc5acc
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/packages/desktop/craco.config.js b/packages/desktop/craco.config.js
@@ -23,14 +23,19 @@ module.exports = {
       const csp = [
         "default-src 'self'",
         // 'unsafe-eval' is necessary to run the Wasm code
-        "script-src 'self' 'unsafe-eval'",
+        "script-src 'unsafe-eval'",
         // style-src is necessary because of emotion. In dev, style-loader with injectType=styleTag is also the reason.
         "style-src 'self' 'unsafe-inline'",
         // The worker is inlined as blob: https://github.com/whitphx/stlite/blob/v0.7.1/packages/stlite-kernel/src/kernel.ts#L16
         "worker-src blob:",
-        "script-src-elem 'self' blob: https://cdn.jsdelivr.net/",
+        // For <script /> tag permissions.
+        // - 'self': The main scripts
+        // - 'unsafe-inline': Allow the inline scripts from custom components
+        // - *: Custom components may load arbitrary third party scripts from the Internet.
+        "script-src-elem 'self' 'unsafe-inline' *",
         // Allow loading the hosted Pyodide files, wheels, and some remote resources
-        isEnvProduction && `connect-src ${cspSourceForMap} 'self'`,
+        // Allow fetch() and XMLHttpRequest to load any resources (*).
+        isEnvProduction && `connect-src ${cspSourceForMap} 'self' *`,
         isEnvDevelopment &&
           `connect-src ${cspSourceForMap} https://cdn.jsdelivr.net/ https://pypi.org/ https://files.pythonhosted.org/ http://localhost:3000/ ws://localhost:3000/`,
         // Allow <img> to load any resources. blob: is necessary for st.pyplot, data: is for st.map