refactor: update Content Security Policy to allow 'wasm-unsafe-eval' in script-src directive

2025-10-20 13:55:32 +08:00 · 2025-10-20 13:55:32 +08:00 · ebabbc8dce
parent 9a362d9ac6
commit ebabbc8dce
2 changed files with 1 additions and 7 deletions
--- a/web/app/components/base/ga/index.tsx
+++ b/web/app/components/base/ga/index.tsx
@ -18,7 +18,6 @@ export type IGAProps = {
  gaType: GaType
 }

-// 从 CSP header 中提取 nonce
 const extractNonceFromCSP = (cspHeader: string | null): string | undefined => {
  if (!cspHeader)
    return undefined
@ -32,16 +31,11 @@ const GA: FC<IGAProps> = ({
  if (IS_CE_EDITION)
    return null

-  // 从 CSP header 中提取 nonce，而不是直接读取 x-nonce
  const cspHeader = process.env.NODE_ENV === 'production'
    ? (headers() as unknown as UnsafeUnwrappedHeaders).get('content-security-policy')
    : null
  const nonce = extractNonceFromCSP(cspHeader)

-  // 服务端日志：验证 nonce 提取
-  if (typeof window === 'undefined')
-    console.log('[GA SSR] CSP header:', cspHeader ? 'exists' : 'MISSING', '| nonce:', nonce ? `extracted (${nonce.substring(0, 10)}...)` : 'NOT FOUND')
-
  return (
    <>
      {/* Initialize dataLayer first */}
--- a/web/middleware.ts
+++ b/web/middleware.ts
@ -33,7 +33,7 @@ export function middleware(request: NextRequest) {
  const cspHeader = `
    default-src 'self' ${scheme_source} ${csp} ${whiteList};
    connect-src 'self' ${scheme_source} ${csp} ${whiteList};
-    script-src 'self' ${scheme_source} ${csp} ${whiteList};
+    script-src 'self' 'wasm-unsafe-eval' ${scheme_source} ${csp} ${whiteList};
    style-src 'self' 'unsafe-inline' ${scheme_source} ${whiteList};
    worker-src 'self' ${scheme_source} ${csp} ${whiteList};
    media-src 'self' ${scheme_source} ${csp} ${whiteList};