Merge pull request #4118 from mozilla/prod-fix-2023.11.08.6

Add hashes for content with comment space
mozilla · Nov 15, 2023 · ee826e8 · ee826e8
2 parents c507261 + f355b07
commit ee826e8
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/privaterelay/settings.py b/privaterelay/settings.py
@@ -133,14 +133,25 @@
     # not set by us, so we use an explicit allowlist with the hashes of the
     # styles generated by Next.js.
     _next_css_path = Path(STATIC_ROOT) / "_next" / "static" / "css"
+    hashes = []
     for path in _next_css_path.glob("*.css"):
         content = open(path, "rb").read()
 
         # Use sha256 hashes, to keep in sync with Chrome.
         # When CSP rules fail in Chrome, it provides the sha256 hash that would
         # have matched.
         the_hash = base64.b64encode(sha256(content).digest()).decode()
-        csp_style_values.append("'sha256-%s'" % the_hash)
+        hashes.append("'sha256-%s'" % the_hash)
+
+        # The sourceMappingURL is slightly different when loaded dynamically
+        # in next 14.0.0. Capture hash for alternate.
+        if content.endswith(b"map*/"):
+            space_content = content[:-2] + b" " + content[-2:]
+            assert space_content.endswith(b"map */")
+            space_hash = base64.b64encode(sha256(space_content).digest()).decode()
+            hashes.append("'sha256-%s'" % space_hash)
+    hashes.sort()
+    csp_style_values.extend(hashes)
 
 CSP_STYLE_SRC = tuple(csp_style_values)