@@ -39,7 +39,8 @@ const WEBEXTENSION_POLYFILL_REPLACEMENT =
3939 'console.warn("Webextension-polyfill check bypassed for corpus testing")'
4040const BROWSER_API_MOCKS =
4141 'window.chrome=window.chrome||{runtime:{getURL:path=>"chrome-extension://gitcasso-test/"+path,onMessage:{addListener:()=>{}},sendMessage:()=>Promise.resolve(),id:"gitcasso-test"}};window.browser=window.chrome;'
42- const PERMISSIVE_CSP = "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: http: https:;"
42+ const PERMISSIVE_CSP =
43+ "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: http: https:; connect-src 'self' http: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval';"
4344
4445// UI Styles
4546const REBUILD_BUTTON_STYLES = `
@@ -237,6 +238,10 @@ app.get('/corpus/:key/:mode(clean|gitcasso)', async (req, res) => {
237238
238239 // Replace external URLs with local asset URLs
239240 let html = mainEntry . response . content . text !
241+
242+ // Strip CSP headers that might block our injected scripts
243+ html = stripCSPFromHTML ( html )
244+
240245 domains . forEach ( ( domain ) => {
241246 const escapedDomain = domain . replace ( / [ . * + ? ^ $ { } ( ) | [ \] \\ ] / g, '\\$&' )
242247 const regex = new RegExp ( `https?://${ escapedDomain } , 'g' )
@@ -245,6 +250,13 @@ app.get('/corpus/:key/:mode(clean|gitcasso)', async (req, res) => {
245250 if ( mode === 'gitcasso' ) {
246251 html = injectGitcassoScriptForHAR ( key , html )
247252 }
253+
254+ // Set permissive headers for HAR corpus to allow rebuild requests
255+ res . set ( {
256+ 'Content-Security-Policy' : PERMISSIVE_CSP ,
257+ 'X-Content-Type-Options' : 'nosniff' ,
258+ } )
259+
248260 return res . send ( html )
249261 } else if ( entry . type === 'html' ) {
250262 // Handle HTML corpus
@@ -385,12 +397,15 @@ app.listen(PORT, () => {
385397
386398// Strip CSP meta tags and headers from HTML that might block our scripts
387399function stripCSPFromHTML ( html : string ) : string {
388- // Remove CSP meta tags
389- html = html . replace ( / < m e t a [ ^ > ] * h t t p - e q u i v \s * = \s * [ " ' ] c o n t e n t - s e c u r i t y - p o l i c y [ " ' ] [ ^ > ] * > / gi, '' )
390- html = html . replace ( / < m e t a [ ^ > ] * n a m e \s * = \s * [ " ' ] c o n t e n t - s e c u r i t y - p o l i c y [ " ' ] [ ^ > ] * > / gi, '' )
400+ // Remove CSP meta tags - more comprehensive patterns
401+ html = html . replace ( / < m e t a [ ^ > ] * h t t p - e q u i v \s * = \s * [ " ' ] ? c o n t e n t - s e c u r i t y - p o l i c y [ " ' ] ? [ ^ > ] * > / gi, '' )
402+ html = html . replace ( / < m e t a [ ^ > ] * n a m e \s * = \s * [ " ' ] ? c o n t e n t - s e c u r i t y - p o l i c y [ " ' ] ? [ ^ > ] * > / gi, '' )
403+
404+ // Also match patterns where content-security-policy appears anywhere in the meta tag
405+ html = html . replace ( / < m e t a [ ^ > ] * c o n t e n t - s e c u r i t y - p o l i c y [ ^ > ] * > / gi, '' )
391406
392407 // Remove any other restrictive security meta tags
393- html = html . replace ( / < m e t a [ ^ > ] * h t t p - e q u i v \s * = \s * [ " ' ] x - c o n t e n t - t y p e - o p t i o n s [ " ' ] [ ^ > ] * > / gi, '' )
408+ html = html . replace ( / < m e t a [ ^ > ] * h t t p - e q u i v \s * = \s * [ " ' ] ? x - c o n t e n t - t y p e - o p t i o n s [ " ' ] ? [ ^ > ] * > / gi, '' )
394409
395410 return html
396411}
0 commit comments