From e81d41d092fedf21f50a8f716924ada1f71e3af8 Mon Sep 17 00:00:00 2001
From: Gabe Kangas <gabek@real-ity.com>
Date: Sat, 18 Sep 2021 10:06:47 -0700
Subject: [PATCH] Explicitly add unsafe-eval only when running automated
 browser tests

---
 router/middleware/headers.go  | 11 ++++++++++-
 test/automated/browser/run.sh |  2 +-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/router/middleware/headers.go b/router/middleware/headers.go
index ae658c4d9..abf5a59d0 100644
--- a/router/middleware/headers.go
+++ b/router/middleware/headers.go
@@ -1,7 +1,9 @@
 package middleware
 
 import (
+	"fmt"
 	"net/http"
+	"os"
 	"strings"
 )
 
@@ -10,9 +12,16 @@ func SetHeaders(w http.ResponseWriter) {
 	// Tell Google to not use this response in their FLoC tracking.
 	w.Header().Set("Permissions-Policy", "interest-cohort=()")
 
+	// When running automated browser tests we must allow `unsafe-eval` in our CSP
+	// so we can explicitly add it only when needed.
+	inTest := os.Getenv("BROWSER_TEST") == "true"
+	unsafeEval := ""
+	if inTest {
+		unsafeEval = `'unsafe-eval'`
+	}
 	// Content security policy
 	csp := []string{
-		"script-src 'self' 'unsafe-eval' 'sha256-2HPCfJIJHnY0NrRDPTOdC7AOSJIcQyNxzUuut3TsYRY=' 'sha256-qYEKg5UMg/KbbMBkyPIGsxtkfn/safeLBT08DK3592g=' 'sha256-2erOadwY1DsoNdxVjGlxldMJrFEUzr5sLDdB8lmm9m8=' 'sha256-DgrU+KwEGMFcB8B2ZdQyuxWWvTm7LeGpc+8SkxbSxGA='",
+		fmt.Sprintf("script-src 'self' %s 'sha256-2HPCfJIJHnY0NrRDPTOdC7AOSJIcQyNxzUuut3TsYRY=' 'sha256-qYEKg5UMg/KbbMBkyPIGsxtkfn/safeLBT08DK3592g=' 'sha256-2erOadwY1DsoNdxVjGlxldMJrFEUzr5sLDdB8lmm9m8=' 'sha256-DgrU+KwEGMFcB8B2ZdQyuxWWvTm7LeGpc+8SkxbSxGA='", unsafeEval),
 		"worker-src 'self' blob:", // No single quotes around blob:
 	}
 	w.Header().Set("Content-Security-Policy", strings.Join(csp, "; "))
diff --git a/test/automated/browser/run.sh b/test/automated/browser/run.sh
index c4877f423..8005467d0 100755
--- a/test/automated/browser/run.sh
+++ b/test/automated/browser/run.sh
@@ -19,7 +19,7 @@ pushd ../../.. > /dev/null
 
 # Build and run owncast from source
 go build -o owncast main.go pkged.go
-./owncast -rtmpport 9021 -webserverport 5309 -database $TEMP_DB &
+BROWSER_TEST=true ./owncast -rtmpport 9021 -webserverport 5309 -database $TEMP_DB &
 SERVER_PID=$!
 
 popd > /dev/null