fix: add Osano cookie consent CSP permissions (#463)

ahmedomosanya · web-flow · commit 16e4f63f5476 · 2025-08-04T10:24:24.000+01:00
* fix: add Osano cookie consent CSP permissions - Add cmp.osano.com to connect-src for configuration API calls - Add cmp.osano.com to frame-src for consent UI iframe - Add www.googletagmanager.com to script-src for GTM integration Resolves CSP violations preventing Osano cookie consent from functioning properly. Signed-off-by: ahmedomosanya <aopeyemi@contractor.linuxfoundation.org> * fix: Add Google Analytics & DoubleClick to connect-src CSP Add Google Analytics and DoubleClick domains to connect-src directive to allow Osano and GTM scripts to send analytics beacons: - www.google-analytics.com - Google Analytics beacons - analytics.google.com - Google Analytics 4 - www.googletagmanager.com - GTM fetch requests - googleads.g.doubleclick.net - DoubleClick advertising - stats.g.doubleclick.net - DoubleClick stats Addresses CodeRabbit review feedback for complete Osano/GTM integration. Signed-off-by: ahmedomosanya <aopeyemi@contractor.linuxfoundation.org> * fix: remove DoubleClick advertising domain from CSP connect-src - Remove https://googleads.g.doubleclick.net from allowed connect sources - Keep https://stats.g.doubleclick.net for analytics functionality - Improves security by reducing CSP attack surface --------- Signed-off-by: ahmedomosanya <aopeyemi@contractor.linuxfoundation.org>
diff --git a/edge/security-headers.js b/edge/security-headers.js
@@ -43,7 +43,12 @@ function generateCSP(env, isDevServer) {
     'https://api.lfcla.dev.platform.linuxfoundation.org/',
     'https://easycla.dev.communitybridge.org/',
     'https://easycla.lfx.linuxfoundation.org/',
-    'https://contributor.easycla.lfx.linuxfoundation.org/'
+    'https://contributor.easycla.lfx.linuxfoundation.org/',
+    'https://cmp.osano.com', // Cookie consent management
+    'https://www.google-analytics.com', // Google Analytics beacons
+    'https://analytics.google.com', // Google Analytics 4
+    'https://www.googletagmanager.com', // GTM fetch requests
+    'https://stats.g.doubleclick.net' // DoubleClick stats
   ];
   let scriptSources = [SELF, UNSAFE_EVAL, UNSAFE_INLINE,
     'https://cdn.dev.platform.linuxfoundation.org/lfx-header-v2.js',
@@ -54,7 +59,8 @@ function generateCSP(env, isDevServer) {
     'https://cdn.dev.platform.linuxfoundation.org/lfx-footer-no-zone.js',
     'https://cdn.staging.platform.linuxfoundation.org/lfx-footer-no-zone.js',
     'https://cdn.platform.linuxfoundation.org/lfx-footer-no-zone.js',
-    'https://cmp.osano.com' // Cookie consent
+    'https://cmp.osano.com', // Cookie consent
+    'https://www.googletagmanager.com' // Google Tag Manager for Osano
   ];
 
   const styleSources = [SELF, UNSAFE_INLINE, 'https://use.fontawesome.com/', 'https://communitybridge.org/'];
@@ -106,7 +112,8 @@ function generateCSP(env, isDevServer) {
       'https://linuxfoundation-dev.auth0.com',
       'https://linuxfoundation-staging.auth0.com',
       'https://linuxfoundation.auth0.com',
-      'https://sso.linuxfoundation.org/'
+      'https://sso.linuxfoundation.org/',
+      'https://cmp.osano.com' // Cookie consent UI iframe
     ],
     'child-src': [],
     'media-src': [],
