add unsafe eval to dev (#1127)

bridge-ui/.env.template

@@ -31,7 +31,7 @@ NEXT_PUBLIC_LAYERSWAP_API_KEY=<LAYERSWAP_API_KEY>
 
 NEXT_PUBLIC_IS_CCTP_ENABLED=true
 
-NEXT_PUBLIC_ENVIRONMENT=development
+NEXT_PUBLIC_ENVIRONMENT=local
 
 E2E_TEST_PRIVATE_KEY=<YOUR_PRIVATE_KEY>
 

bridge-ui/src/middleware.ts

@@ -4,6 +4,9 @@ import { NextRequest, NextResponse } from "next/server";
 export function middleware(request: NextRequest) {
   const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
 
+  // We only want to allow unsafe-eval in local environment for NextJS dev server
+  const unsafeEvalScript = process.env.NEXT_PUBLIC_ENVIRONMENT === "local" ? "unsafe-eval" : "";
+
   /**
    * Content Security Policy (CSP) configuration:
    *
@@ -49,7 +52,7 @@ export function middleware(request: NextRequest) {
    */
   const cspHeader = `
     default-src 'self';
-    script-src 'self' 'nonce-${nonce}' 'strict-dynamic';
+    script-src 'self' 'nonce-${nonce}' ${unsafeEvalScript} https://bridge.linea.build;
     style-src 'self' 'unsafe-inline';
     img-src 'self' blob: data: https:;
     font-src 'self' data: https://cdn.jsdelivr.net;