govnl-1.0.x-dev/modules/govnl_seckit/govnl_seckit.module

<?php

/**
 * @file
 * Govnl seckit module.
 */

/**
 * Implements hook_seckit_options_alter().
 */
function govnl_seckit_seckit_options_alter(&$directives) {
  // If it's not a logged in user, do nothing.
  if (!Drupal::currentUser()->isAuthenticated()) {
    return;
  }

  // The directives that should have the 'unsafe-inline' option for admin
  // routes.
  $unsafeInlineDirectives = [
    'script-src',
    'style-src',
  ];

  foreach ($unsafeInlineDirectives as $directive) {
    // Add the 'unsafe-inline' if it's missing.
    if (strpos($directives['seckit_xss']['csp'][$directive], "'unsafe-inline'") === FALSE) {
      $directives['seckit_xss']['csp'][$directive] .= " 'unsafe-inline'";
    }

    // Filter out the sha256 hashes since this doesn't work with unsafe-inline.
    $allDirectives = explode(' ', $directives['seckit_xss']['csp'][$directive]);
    $allDirectives = array_filter($allDirectives, function ($item) {
      $hashPrefix = "'sha256-";

      return substr($item, 0, strlen($hashPrefix)) !== $hashPrefix;
    });

    $directives['seckit_xss']['csp'][$directive] = implode(' ', $allDirectives);
  }

}