CCM-5340: fix unsafe eval dev mode

alexnuttall · alexnuttall · commit 86d4de110b65 · 2025-01-30T15:38:06.000Z
diff --git a/frontend/src/middleware.ts b/frontend/src/middleware.ts
@@ -9,9 +9,9 @@ function isExcludedPath(path: string, excludedPaths: string[]): boolean {
 export async function middleware(request: NextRequest) {
   const nonce = Buffer.from(crypto.randomUUID()).toString('base64');
   const cspUnsafeEval =
-    process.env.NODE_ENV === 'production' ? '' : `'unsafe-eval'`;
+    process.env.NODE_ENV === 'production' ? '' : `http: 'unsafe-eval'`;
 
-  const csp = `base-uri 'self'; form-action 'self'; frame-ancestors 'none'; default-src 'none'; connect-src 'self'; font-src 'self' https://assets.nhs.uk; img-src 'self'; script-src 'self' 'nonce-${nonce}' https: http: ${cspUnsafeEval}; style-src 'self' 'nonce-${nonce}'; upgrade-insecure-requests`;
+  const csp = `base-uri 'self'; form-action 'self'; frame-ancestors 'none'; default-src 'none'; connect-src 'self'; font-src 'self' https://assets.nhs.uk; img-src 'self'; script-src 'self' 'nonce-${nonce}' ${cspUnsafeEval}; style-src 'self' 'nonce-${nonce}'; upgrade-insecure-requests`;
 
   const requestHeaders = new Headers(request.headers);
   requestHeaders.set('x-nonce', nonce);
