From e64bc3420a38dae672cb3f65c513b8e94eadbe2c Mon Sep 17 00:00:00 2001 From: Deepak K <89829542+Deepak-Kesavan@users.noreply.github.com> Date: Thu, 26 Mar 2026 18:28:20 +0530 Subject: [PATCH 1/2] Change csp to report only --- frontend/nginx.conf | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/frontend/nginx.conf b/frontend/nginx.conf index ab140947b8..d38c93820b 100644 --- a/frontend/nginx.conf +++ b/frontend/nginx.conf @@ -47,15 +47,8 @@ http { add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; - # Content Security Policy (single quoted string required by nginx add_header) - # - 'unsafe-inline' in script-src: required for runtime-config.js injected at container start - # - 'unsafe-eval' in script-src: required by RJSF (React JSON Schema Form) which uses new Function() - # - 'unsafe-inline' in style-src: required by Ant Design CSS-in-JS - # - blob: in connect-src: required by PDF.js viewer for blob: URL document loading - # - cdn.jsdelivr.net: Monaco Editor loads from this CDN - # - unpkg.com: PDF.js worker - # - PostHog, GTM, reCAPTCHA, Stripe, Product Fruits: third-party services - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.googletagmanager.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://js.stripe.com https://app.productfruits.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://eu.i.posthog.com https://eu-assets.i.posthog.com; font-src 'self' data:; connect-src 'self' blob: wss: https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.google-analytics.com https://api.stripe.com https://app.productfruits.com; frame-src 'self' https://www.google.com/recaptcha/ https://recaptcha.google.com https://js.stripe.com https://hooks.stripe.com; worker-src 'self' blob: https://unpkg.com https://cdn.jsdelivr.net; object-src 'none'; base-uri 'self'; form-action 'self' https://checkout.stripe.com; frame-ancestors 'self'" always; + # CSP in report-only mode: logs violations to browser console without blocking requests. + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.googletagmanager.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://js.stripe.com https://app.productfruits.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://eu.i.posthog.com https://eu-assets.i.posthog.com; font-src 'self' data:; connect-src 'self' blob: wss: https://cdn.jsdelivr.net https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.google-analytics.com https://api.stripe.com https://app.productfruits.com; frame-src 'self' https://www.google.com/recaptcha/ https://recaptcha.google.com https://js.stripe.com https://hooks.stripe.com; worker-src 'self' blob: https://unpkg.com https://cdn.jsdelivr.net; object-src 'none'; base-uri 'self'; form-action 'self' https://checkout.stripe.com; frame-ancestors 'self'" always; # Disable TRACE and TRACK methods if ($request_method ~ ^(TRACE|TRACK)$) { From 449bc028efb3aabf27b71c355cb84812b8c9d5c9 Mon Sep 17 00:00:00 2001 From: Ritwik G <100672805+ritwik-g@users.noreply.github.com> Date: Mon, 4 May 2026 14:38:52 +0530 Subject: [PATCH 2/2] [HOTFIX] Bool-parse ENABLE_HIGHLIGHT_API_DEPLOYMENT env var (v0.161.4) (#1939) [HOTFIX] Bool-parse ENABLE_HIGHLIGHT_API_DEPLOYMENT env var (#1937) [FIX] Bool-parse ENABLE_HIGHLIGHT_API_DEPLOYMENT env var os.environ.get returns the raw string when the variable is set, so ENABLE_HIGHLIGHT_API_DEPLOYMENT="False" was truthy in Python (any non-empty string is truthy). Wrap in CommonUtils.str_to_bool so "False" / "false" / "0" actually evaluate to False. The setting is consumed by the cloud configuration plugin's spec default (ConfigSpec.default in plugins/configuration/cloud_config.py) on cloud and on-prem builds. With this fix, an admin who explicitly sets the env var to a falsy string sees highlight data stripped as expected. Co-authored-by: vishnuszipstack <117254672+vishnuszipstack@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) --- backend/backend/settings/base.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/backend/backend/settings/base.py b/backend/backend/settings/base.py index bb62960ae0..279ac463b5 100644 --- a/backend/backend/settings/base.py +++ b/backend/backend/settings/base.py @@ -689,4 +689,6 @@ def filter(self, record): ) raise ValueError(ERROR_MESSAGE) -ENABLE_HIGHLIGHT_API_DEPLOYMENT = os.environ.get("ENABLE_HIGHLIGHT_API_DEPLOYMENT", False) +ENABLE_HIGHLIGHT_API_DEPLOYMENT = CommonUtils.str_to_bool( + os.environ.get("ENABLE_HIGHLIGHT_API_DEPLOYMENT", "False") +)