Merge pull request #7105 from overleaf/jpa-static-no-csp

[web] remove CSP header from static assets

GitOrigin-RevId: 2f12974f490ff22796ed74c38a466fe4649877c1

services/web/app/src/infrastructure/CSP.js

@@ -93,4 +93,10 @@ function relativeViewPath(view) {
     : path.join('app', 'views', view)
 }
 
+function removeCSPHeaders(res) {
+  res.removeHeader('Content-Security-Policy')
+  res.removeHeader('Content-Security-Policy-Report-Only')
+}
+
 module.exports.buildDefaultPolicy = buildDefaultPolicy
+module.exports.removeCSPHeaders = removeCSPHeaders

services/web/app/src/infrastructure/Server.js

@@ -121,11 +121,13 @@ webRouter.get(
   '/serviceWorker.js',
   express.static(Path.join(__dirname, '/../../../public'), {
     maxAge: oneDayInMilliseconds,
+    setHeaders: csp.removeCSPHeaders,
   })
 )
 webRouter.use(
   express.static(Path.join(__dirname, '/../../../public'), {
     maxAge: STATIC_CACHE_AGE,
+    setHeaders: csp.removeCSPHeaders,
   })
 )
 app.set('views', Path.join(__dirname, '/../../views'))

services/web/webpack.config.dev.js

@@ -3,7 +3,6 @@ const merge = require('webpack-merge')
 const MiniCssExtractPlugin = require('mini-css-extract-plugin')
 
 const base = require('./webpack.config')
-const { buildDefaultPolicy } = require('./app/src/infrastructure/CSP')
 
 module.exports = merge(base, {
   mode: 'development',
@@ -31,10 +30,6 @@ module.exports = merge(base, {
     port: 3808,
     public: 'www.dev-overleaf.com:443',
 
-    headers: {
-      'Content-Security-Policy': buildDefaultPolicy(),
-    },
-
     // Customise output to the (node) console
     stats: {
       colors: true, // Enable some coloured highlighting