fix: CSP scripts unsafe

weni-ai · Nov 25, 2024 · 61a2ccf · 61a2ccf
1 parent 458bda7
commit 61a2ccf
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 19 deletions.
diff --git a/index.html b/index.html
@@ -2,41 +2,25 @@
 <html lang="en">
 
 <head>
-  <!-- Google Tag Manager -->
-  <script>(function (w, d, s, l, i) {
-      w[l] = w[l] || []; w[l].push({
-        'gtm.start':
-          new Date().getTime(), event: 'gtm.js'
-      }); var f = d.getElementsByTagName(s)[0],
-        j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.async = true; j.src =
-          'https://www.googletagmanager.com/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f);
-    })(window, document, 'script', 'dataLayer', 'GTM-TL2549P');
-  </script>
-  <!-- End Google Tag Manager -->
   <meta charset="utf-8">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <meta name="viewport" content="width=device-width,initial-scale=1.0">
   <link rel="icon" href="/favicon.ico">
   <title>Weni</title>
-  <script src="https://js.stripe.com/v3"></script>
-  <script>
+  <script nonce="stripe" src="https://js.stripe.com/v3"></script>
+  <script nonce="env">
     //CONFIGURATIONS_PLACEHOLDER
   </script>
 </head>
 
 <body>
-  <!-- Google Tag Manager (noscript) -->
-  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-TL2549P" height="0" width="0"
-      style="display:none;visibility:hidden"></iframe></noscript>
-  <!-- End Google Tag Manager (noscript) -->
   <noscript>
     <strong>We're sorry but this app doesn't work properly without JavaScript enabled. Please enable it to
       continue.</strong>
   </noscript>
   <div id="app"></div>
   <!-- built files will be auto injected -->
-  <script type="module" src="/src/main.js"></script>
-
+  <script nonce="app" type="module" src="/src/main.js"></script>
 </body>
 
 </html>
diff --git a/src/utils/plugins/Hotjar.js b/src/utils/plugins/Hotjar.js
@@ -18,6 +18,7 @@ export default function (
     h._hjSettings = { hjid: Number(env('HOTJAR_ID')), hjsv: 6 };
     a = o.getElementsByTagName('head')[0];
     r = o.createElement('script');
+    r.setAttribute('nonce', 'hotjar');
     r.async = 1;
     r.src = t + h._hjSettings.hjid + j + h._hjSettings.hjsv;
     a.appendChild(r);