From 0bb2e327799acae8db6c80272dfa83797ab06161 Mon Sep 17 00:00:00 2001
From: Timmy Willison <timmywil@users.noreply.github.com>
Date: Sun, 20 Oct 2024 15:47:06 -0400
Subject: [PATCH] miscweb:grunt: add necessary exceptions to CSP headers

**miscweb**

- script-src: add 'wasm-unsafe-eval' for WebAssembly-driven search on
  bugs.jquery.com, bugs.jqueryui.com, and plugins.jquery.com
- img-src: allow secure.gravatar.com images on plugins.jquery.com
- media-src: allow content.jquery.com media on podcast.jquery.com

**grunt**

- script-src: add 'unsafe-eval' for the search functionality on gruntjs.com/plugins
- the datatables plugin uses jQuery's eval. While later versions
  of jQuery switched to using script tags for eval, it would
  still require an  exception. The best solution
  would be to re-implement search, but that will take time.

Ref https://github.com/jquery/infrastructure-puppet/issues/54
Closes gh-63
---
 .../templates/contentorigin/site.nginx.erb        | 10 +++++++++-
 .../profile/templates/gruntjscom/site.nginx.erb   | 12 +++++++++++-
 modules/profile/templates/miscweb/site.nginx.erb  | 15 ++++++++++++++-
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/modules/profile/templates/contentorigin/site.nginx.erb b/modules/profile/templates/contentorigin/site.nginx.erb
index 1cc80b7..4fa95f9 100644
--- a/modules/profile/templates/contentorigin/site.nginx.erb
+++ b/modules/profile/templates/contentorigin/site.nginx.erb
@@ -15,7 +15,15 @@ server {
 
   # Add Content Security Policy headers
   add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
-  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
+  add_header Content-Security-Policy-Report-Only "
+    default-src 'self';
+    script-src 'self' code.jquery.com;
+    connect-src 'self';
+    img-src 'self';
+    style-src 'self';
+    report-uri https://csp-report-api.openjs-foundation.workers.dev/;
+    report-to csp-endpoint
+  ";
 
   location / {
     root /srv/www/content.jquery.com;
diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb
index 626f65f..4ffc8a4 100644
--- a/modules/profile/templates/gruntjscom/site.nginx.erb
+++ b/modules/profile/templates/gruntjscom/site.nginx.erb
@@ -19,7 +19,17 @@ server {
 
     # Add Content Security Policy headers
     add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
-    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint;" always;
+    # script-src: add 'unsafe-eval' for the search functionality on gruntjs.com/plugins
+    # Search will need to be reimplemented to remove this exception.
+    add_header Content-Security-Policy-Report-Only "
+      default-src 'self';
+      script-src 'self' 'unsafe-eval';
+      connect-src 'self';
+      img-src 'self';
+      style-src 'self';
+      report-uri https://csp-report-api.openjs-foundation.workers.dev/;
+      report-to csp-endpoint
+    " always;
   }
 
   location /.well-known/acme-challenge {
diff --git a/modules/profile/templates/miscweb/site.nginx.erb b/modules/profile/templates/miscweb/site.nginx.erb
index 41e5635..e7eb640 100644
--- a/modules/profile/templates/miscweb/site.nginx.erb
+++ b/modules/profile/templates/miscweb/site.nginx.erb
@@ -20,7 +20,20 @@ server {
 
   # Add Content Security Policy headers
   add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
-  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
+  # script-src: add 'wasm-unsafe-eval' for WebAssembly-driven search on
+  #   bugs.jquery.com, bugs.jqueryui.com, and plugins.jquery.com
+  # img-src: allow secure.gravatar.com images on plugins.jquery.com
+  # media-src: allow content.jquery.com media on podcast.jquery.com
+  add_header Content-Security-Policy-Report-Only "
+    default-src 'self';
+    script-src 'self' 'wasm-unsafe-eval' code.jquery.com;
+    connect-src 'self';
+    img-src 'self' secure.gravatar.com;
+    style-src 'self';
+    media-src 'self' content.jquery.com;
+    report-uri https://csp-report-api.openjs-foundation.workers.dev/;
+    report-to csp-endpoint
+  ";
 
 <%- if @site['allow_php'] -%>
   index index.php index.html;