Update headers and CSP value (#7904)

* update security headers

* add csp values

* move frame-ancestors

* remove frame-ancestor from meta

* update headers

* use double quotes in yml file

---------

Co-authored-by: Jacob Logan <[email protected]>

Author: jacoblogan

customHttp.yml

@@ -12,6 +12,10 @@ customHeaders:
         value: '1; mode=block'
       - key: 'X-Content-Type-Options'
         value: 'nosniff'
+      - key: 'Cache-Control'
+        value: 'no-store, no-cache'
+      - key: 'Pragma'
+        value: 'no-cache'
       - key: 'Content-Security-Policy'
-        value: 'upgrade-insecure-requests;'
+        value: "upgrade-insecure-requests; frame-ancestors 'none';"
       # CSP also set in _document.tsx meta tag

src/pages/_document.tsx

@@ -62,6 +62,8 @@ const getCspContent = (context) => {
   if (process.env.BUILD_ENV !== 'production') {
     return `
       default-src 'none';
+      object-src 'none';
+      base-uri 'none';
       style-src 'self' 'unsafe-inline' ${ANALYTICS_CSP.all.style.join(' ')};
       font-src 'self' data:;
       frame-src 'self' https://www.youtube-nocookie.com ${ANALYTICS_CSP.all.frame.join(
@@ -85,6 +87,8 @@ const getCspContent = (context) => {
   // Have to keep track of CSP inside customHttp.yml as well
   return `
     default-src 'none';
+    object-src 'none';
+    base-uri 'none';
     style-src 'self' 'unsafe-inline' ${ANALYTICS_CSP.all.style.join(' ')};
     font-src 'self';
     frame-src 'self' https://www.youtube-nocookie.com ${ANALYTICS_CSP.all.frame.join(
@@ -102,6 +106,7 @@ const getCspContent = (context) => {
     script-src 'self' ${cspInlineScriptHash} ${ANALYTICS_CSP.prod.script.join(
       ' '
     )} ${ANALYTICS_CSP.all.script.join(' ')};
+    require-trusted-types-for 'script';
   `;
 };