From 5986749757406552f2ce088e70bee878ad001088 Mon Sep 17 00:00:00 2001
From: Ed Morley <501702+edmorley@users.noreply.github.com>
Date: Tue, 26 Feb 2019 08:04:53 +0000
Subject: [PATCH] Bug 1530602 - Adjust Content-Security-Policy to fix
 ajv.compile() (#4703)

Unfortunately the "Custom Actions" usage of `ajv.compile()` requires that
the `script-src` CSP directive contain `'unsafe-eval'`, otherwise the
whole feature breaks.

Using `'unsafe-eval'` defeats much of the point of CSP, so it should be
removed as soon as possible. Bug 1530607 is filed to track.
---
 tests/test_middleware.py | 2 +-
 treeherder/middleware.py | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/tests/test_middleware.py b/tests/test_middleware.py
index 3e0528a78..a209788b4 100644
--- a/tests/test_middleware.py
+++ b/tests/test_middleware.py
@@ -50,5 +50,5 @@ def test_content_security_policy_header(client):
     # which will be served with the same headers as our frontend HTML.
     response = client.get('/static/rest_framework/css/default.css')
     assert response.has_header('Content-Security-Policy')
-    policy_regex = r"default-src 'none'; script-src 'self' 'report-sample'; .*; report-uri /api/csp-report/"
+    policy_regex = r"default-src 'none'; script-src 'self' 'unsafe-eval' 'report-sample'; .*; report-uri /api/csp-report/"
     assert re.match(policy_regex, response['Content-Security-Policy'])
diff --git a/treeherder/middleware.py b/treeherder/middleware.py
index f60a62371..93b1ffc3e 100644
--- a/treeherder/middleware.py
+++ b/treeherder/middleware.py
@@ -10,8 +10,9 @@ from whitenoise.middleware import WhiteNoiseMiddleware
 # redirect need to have both the original and redirected domains whitelisted.
 CSP_DIRECTIVES = [
     "default-src 'none'",
+    # The unsafe-eval is required for Custom Action's use of `ajv`. See bug 1530607.
     # 'report-sample' instructs the browser to include a sample of the violating JS to assist with debugging.
-    "script-src 'self' 'report-sample'",
+    "script-src 'self' 'unsafe-eval' 'report-sample'",
     # The unsafe-inline is required for react-select's use of emotion (CSS in JS). See bug 1507903.
     # The Google entries are required for IFV's use of the Open Sans font from their CDN.
     "style-src 'self' 'unsafe-inline' 'report-sample' https://fonts.googleapis.com",