fix(bridge): CSP script-src 'unsafe-inline' patch for renderer v3 execution #task-264
This commit is contained in:
@@ -303,6 +303,13 @@ async function setupApprovalObserver() {
|
||||
continue;
|
||||
}
|
||||
let html = fs.readFileSync(htmlPath, 'utf8');
|
||||
// CRITICAL: Patch CSP to allow inline scripts.
|
||||
// Default CSP has script-src 'self' 'unsafe-eval' blob: — NO 'unsafe-inline'.
|
||||
// Without 'unsafe-inline', all inline <script> tags are silently blocked.
|
||||
if (html.includes('script-src') && !html.match(/script-src[^;]*'unsafe-inline'/)) {
|
||||
html = html.replace(/(script-src\s[^;]*?)('self')/, "$1$2\n\t\t\t\t\t'unsafe-inline'");
|
||||
logToFile(`[OBSERVER] ${htmlFileName} CSP patched: added 'unsafe-inline' to script-src`);
|
||||
}
|
||||
// Remove old external script tag if present (legacy, cannot be served)
|
||||
const extMarkerStart = '<!-- AG SDK [variet-gravity-bridge] -->';
|
||||
const extMarkerEnd = '<!-- /AG SDK [variet-gravity-bridge] -->';
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -265,6 +265,17 @@ async function setupApprovalObserver() {
|
||||
}
|
||||
let html = fs.readFileSync(htmlPath, 'utf8');
|
||||
|
||||
// CRITICAL: Patch CSP to allow inline scripts.
|
||||
// Default CSP has script-src 'self' 'unsafe-eval' blob: — NO 'unsafe-inline'.
|
||||
// Without 'unsafe-inline', all inline <script> tags are silently blocked.
|
||||
if (html.includes('script-src') && !html.match(/script-src[^;]*'unsafe-inline'/)) {
|
||||
html = html.replace(
|
||||
/(script-src\s[^;]*?)('self')/,
|
||||
"$1$2\n\t\t\t\t\t'unsafe-inline'"
|
||||
);
|
||||
logToFile(`[OBSERVER] ${htmlFileName} CSP patched: added 'unsafe-inline' to script-src`);
|
||||
}
|
||||
|
||||
// Remove old external script tag if present (legacy, cannot be served)
|
||||
const extMarkerStart = '<!-- AG SDK [variet-gravity-bridge] -->';
|
||||
const extMarkerEnd = '<!-- /AG SDK [variet-gravity-bridge] -->';
|
||||
|
||||
Reference in New Issue
Block a user