Merge pull request #1428 from kethinov/0.22.12

0.22.12
rooseveltframework · Jun 9, 2024 · c70d8de · c70d8de
2 parents 745942e + 1cf1268
commit c70d8de
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 25 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,11 @@
 
 - Put your changes here...
 
+## 0.22.12
+
+- Added `'unsafe-inline'` option to helmet's `Content-Security-Policy`'s `script-src` directive by default in Roosevelt. This will prevent inline scripts from being blocked in production mode.
+- Updated various dependencies.
+
 ## 0.22.11
 
 - Added `DISABLE_HTTPS` environment variable which when set to `true`, the HTTPS server will be disabled and the app will revert to HTTP regardless of what is set in the `rooseveltConfig`.

diff --git a/README.md b/README.md
@@ -599,7 +599,9 @@ Resolves to:
 
 - `helmet`: Parameters to pass to the [helmet](https://github.com/helmetjs/helmet) module. This module helps secure Express apps by setting HTTP response headers.
 
-  - Default: *[Object]* The default options are specified in the [helmet docs](https://helmetjs.github.io/), with the exception of the `upgrade-insecure-requests` option that helmet sets in the `Content-Security-Policy`, which has been removed by default in Roosevelt.
+  - Default: *[Object]* The default options are specified in the [helmet docs](https://helmetjs.github.io/), with the following exceptions:
+    - The `upgrade-insecure-requests` option that helmet sets in the `Content-Security-Policy` has been removed by default in Roosevelt.
+    - The `'unsafe-inline'` option has been added to the `Content-Security-Policy`'s `script-src` directive by default in Roosevelt.
 
 - `logging`: Parameters to pass to [roosevelt-logger](https://github.com/rooseveltframework/roosevelt-logger). See [roosevelt-logger parameters documentation](https://github.com/rooseveltframework/roosevelt-logger#configure-logger) for configuration options.
 

diff --git a/lib/setExpressConfigs.js b/lib/setExpressConfigs.js
@@ -148,6 +148,7 @@ module.exports = function (app) {
       contentSecurityPolicy = {}
       contentSecurityPolicy.directives = helmet.contentSecurityPolicy.getDefaultDirectives()
       delete contentSecurityPolicy.directives['upgrade-insecure-requests']
+      contentSecurityPolicy.directives['script-src'].push('\'unsafe-inline\'')
     }
     app.use(helmet({ ...params.helmet, contentSecurityPolicy }))
   }

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -8,7 +8,7 @@
       "url": "https://github.com/rooseveltframework/roosevelt/graphs/contributors"
     }
   ],
-  "version": "0.22.11",
+  "version": "0.22.12",
   "files": [
     "defaultErrorPages",
     "lib",
@@ -32,7 +32,7 @@
     "cookie-parser": "1.4.6",
     "csrf-csrf": "3.0.6",
     "es6-template-strings": "2.0.1",
-    "execa": "9.1.0",
+    "execa": "9.2.0",
     "express": "4.19.2",
     "express-html-validator": "0.2.4",
     "express-session": "1.18.0",