undid nonce changes

2025-12-14 23:02:11 -06:00 · 2025-12-14 23:02:11 -06:00 · 844097ecf0
commit 844097ecf0
parent a0748788ee
3 changed files with 6 additions and 15 deletions
--- a/app/Http/Middleware/AddContentSecurityPolicy.php
+++ b/app/Http/Middleware/AddContentSecurityPolicy.php
@ -15,13 +15,6 @@ class AddContentSecurityPolicy
     */
    public function handle(Request $request, Closure $next): Response
    {
-        // Generate a random nonce for this request
-        $nonce = base64_encode(random_bytes(16));
-
-        // Store nonce in request attributes so Livewire can access it
-        $request->attributes->set('csp-nonce', $nonce);
-
-        // Get the response
        $response = $next($request);

        // Build CSP header
@ -31,12 +24,10 @@ class AddContentSecurityPolicy
                   "style-src 'self' 'unsafe-inline' http: https:; " .
                   "connect-src 'self' ws: http: https:;";
        } else {
-            // Strict CSP for production with nonces
-            $scriptSrc = "'self' 'nonce-{$nonce}' https:";
-            $styleSrc = "'self' 'unsafe-inline' https:";
-            $connectSrc = "'self' https:";
-
-            $csp = "script-src {$scriptSrc}; style-src {$styleSrc}; connect-src {$connectSrc};";
+            // Production CSP - Livewire v3 requires unsafe-eval
+            $csp = "script-src 'self' 'unsafe-eval' https:; " .
+                   "style-src 'self' 'unsafe-inline' https:; " .
+                   "connect-src 'self' https:;";
        }

        $response->headers->set('Content-Security-Policy', $csp);