Set mercure to version 0.15.5 (#561)

* Set mercure to version 0.15.5 * Update nodejs Update csp
123inkt · Dec 23, 2023 · e741cbd · e741cbd
1 parent 2e21d1c
commit e741cbd
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 6 deletions.
diff --git a/.env b/.env
@@ -14,6 +14,7 @@ MYSQL_PORT=3306
 MYSQL_DATA_DIR=./docker/db/data
 RABBITMQ_CLIENT_PORT=5672
 RABBITMQ_API_PORT=15672
+MERCURE_VERSION=v0.15.5
 MERCURE_SSL_PORT=6443
 HIGHLIGHTJS_HOST=nodejs
 HIGHLIGHTJS_PORT=3000

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -25,10 +25,10 @@ jobs:
         steps:
             -   name: Checkout
                 uses: actions/checkout@v4
-            -   name: Use Node.js 18.x
+            -   name: Use Node.js 21.x
                 uses: actions/setup-node@v4
                 with:
-                    node-version: 18.x
+                    node-version: 21.x
 
             # Docs: https://github.com/shivammathur/setup-php
             -   name: Setup PHP

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -82,6 +82,8 @@ services:
     mercure:
         container_name: ${MERCURE_CONTAINER:-mercure}
         build:
+            args:
+                VERSION: $MERCURE_VERSION
             context: .
             dockerfile: ./docker/mercure/Dockerfile
         environment:

diff --git a/docker/mercure/Dockerfile b/docker/mercure/Dockerfile
@@ -1,4 +1,6 @@
-FROM dunglas/mercure AS base
+ARG VERSION=latest
+
+FROM dunglas/mercure:${VERSION} AS base
 
 ##
 # production

diff --git a/src/EventSubscriber/ContentSecurityPolicyResponseSubscriber.php b/src/EventSubscriber/ContentSecurityPolicyResponseSubscriber.php
@@ -26,7 +26,9 @@ public function onResponse(ResponseEvent $event): void
         $policy = [
             "default-src 'self'",
             "img-src 'self' data:",
-            "object-src: 'none'",
+            "object-src 'none'",
+            "require-trusted-types-for 'script'",
+            "base-uri 'none'",
             sprintf("connect-src 'self' %s:*", $this->hostname),
         ];
 

diff --git a/tests/Unit/EventSubscriber/ContentSecurityPolicyResponseSubscriberTest.php b/tests/Unit/EventSubscriber/ContentSecurityPolicyResponseSubscriberTest.php
@@ -40,7 +40,8 @@ public function testOnResponseWithIdeUrl(): void
         $subscriber->onResponse($event);
 
         static::assertSame(
-            "default-src 'self'; img-src 'self' data:; object-src: 'none'; connect-src 'self' host:*; frame-src http://localhost:*",
+            "default-src 'self'; img-src 'self' data:; object-src 'none'; require-trusted-types-for 'script'; base-uri 'none'; " .
+            "connect-src 'self' host:*; frame-src http://localhost:*",
             $response->headers->get("Content-Security-Policy")
         );
     }
@@ -53,7 +54,8 @@ public function testOnResponseWithoutIdeUrl(): void
         $subscriber->onResponse($event);
 
         static::assertSame(
-            "default-src 'self'; img-src 'self' data:; object-src: 'none'; connect-src 'self' host:*",
+            "default-src 'self'; img-src 'self' data:; object-src 'none'; require-trusted-types-for 'script';" .
+            " base-uri 'none'; connect-src 'self' host:*",
             $response->headers->get("Content-Security-Policy")
         );
     }