LemmyNet · phiresky · Jul 10, 2023 · dessalines · Jul 10, 2023 · kevincox
@@ -10,7 +10,16 @@ export function setDefaultCsp({
 }) {
   res.setHeader(
     "Content-Security-Policy",
-    `default-src 'self'; manifest-src *; connect-src *; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'; frame-src *; media-src * data:`
+    `default-src 'self';
+    manifest-src *;
+    connect-src *;
+    img-src * data:;
+    script-src 'self';
+    style-src 'self' 'unsafe-inline';
+    form-action 'self';
+    base-uri 'self';
+    frame-src *;
+    media-src * data:`.replace(/\s+/g, " ")
   );
 
   next();

@@ -1,7 +1,6 @@
 import { getStaticDir } from "@utils/env";
 import { Helmet } from "inferno-helmet";
 import { renderToString } from "inferno-server";
-import serialize from "serialize-javascript";
 import sharp from "sharp";
 import { favIconPngUrl, favIconUrl } from "../../shared/config";
 import { ILemmyConfig, IsoDataOptionalSite } from "../../shared/interfaces";
@@ -59,8 +58,12 @@ export async function createSsrHtml(
     <!DOCTYPE html>
     <html ${helmet.htmlAttributes.toString()}>
     <head>
-    <script>window.isoData = ${serialize(isoData)}</script>
-    <script>window.lemmyConfig = ${serialize(config)}</script>
+    <script type="application/json" id="isoData">${JSON.stringify(
+      isoData
+    )}</script>
+    <script type="application/json" id="lemmyConfig">${JSON.stringify(
+      config
+    )}</script>
 
     <!-- A remote debugging utility for mobile -->
     ${erudaStr}

@@ -6,6 +6,8 @@ export default function setIsoData<T extends RouteData>(
 ): IsoData<T> {
   // If its the browser, you need to deserialize the data from the window
   if (isBrowser()) {
-    return window.isoData;
+    const ele = document.getElementById("isoData");
+    if (!ele) throw Error("could not find iso data");
+    return JSON.parse(ele.textContent ?? "");
   } else return context.router.staticContext;
 }