Skip to content

Commit 705d9db

Browse files
radworadwo
authored
toil(front): strengthen CSP with base-uri and restrict external domains (#453)
## 📝 Description strengthen CSP with base-uri and restrict external domain - drop storage.googleapis.com since #26 we moved assets from google - remove * from .cloudfront.net ## ✅ Checklist - [x] I have tested this change - [x] ~This change requires documentation update~
1 parent 51d123e commit 705d9db

File tree

1 file changed

+4
-5
lines changed

1 file changed

+4
-5
lines changed

front/lib/front_web/plugs/content_security_policy.ex

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -31,18 +31,18 @@ defmodule FrontWeb.Plug.ContentSecurityPolicy do
3131
nonces_for: [:script_src],
3232
report_only: Application.get_env(:front, :environment) in [:dev, :test],
3333
directives: %{
34+
base_uri: ~w('self'),
3435
connect_src: connect_src(),
3536
default_src: ~w('none'),
3637
media_src: ~w(beacon-v2.helpscout.net),
3738
child_src: ~w('self'),
38-
font_src:
39-
~w('self' storage.googleapis.com beacon-v2.helpscout.net fonts.gstatic.com cdn.jsdelivr.net),
39+
font_src: ~w('self' beacon-v2.helpscout.net fonts.gstatic.com cdn.jsdelivr.net),
4040
img_src:
41-
~w(data: 'self' *.userpilot.io static.zdassets.com *.zendesk.com storage.googleapis.com gravatar.com *.gravatar.com *.wp.com *.githubusercontent.com *.cloudfront.net bitbucket.org github.com gitlab.com beacon-v2.helpscout.net d33v4339jhl8k0.cloudfront.net chatapi-prod.s3.amazonaws.com/ bitbucket-assetroot.s3.amazonaws.com ui-avatars.com *.atl-paas.net *.sitesearch360.com docs.semaphoreci.com),
41+
~w(data: 'self' *.userpilot.io static.zdassets.com *.zendesk.com gravatar.com *.gravatar.com *.wp.com *.githubusercontent.com d12wqas9hcki3z.cloudfront.net bitbucket.org github.com gitlab.com beacon-v2.helpscout.net d33v4339jhl8k0.cloudfront.net chatapi-prod.s3.amazonaws.com/ bitbucket-assetroot.s3.amazonaws.com ui-avatars.com *.atl-paas.net *.sitesearch360.com docs.semaphoreci.com),
4242
script_src:
4343
~w(https: 'self' 'strict-dynamic' *.userpilot.io static.zdassets.com beacon-v2.helpscout.net d12wqas9hcki3z.cloudfront.net d33v4339jhl8k0.cloudfront.net *.sitesearch360.com www.googletagmanager.com cdn.jsdeliver.net),
4444
style_src:
45-
~w('self' 'unsafe-inline' *.userpilot.io fonts.gstatic.com fonts.googleapis.com storage.googleapis.com cdnjs.cloudflare.com beacon-v2.helpscout.net cdn.jsdelivr.net),
45+
~w('self' 'unsafe-inline' *.userpilot.io fonts.gstatic.com fonts.googleapis.com cdnjs.cloudflare.com beacon-v2.helpscout.net cdn.jsdelivr.net),
4646
frame_src: ~w('self' beacon-v2.helpscout.net),
4747
object_src: ~w(beacon-v2.helpscout.net)
4848
}
@@ -61,7 +61,6 @@ defmodule FrontWeb.Plug.ContentSecurityPolicy do
6161
"ekr.zdassets.com",
6262
"beaconapi.helpscout.net",
6363
"chatapi.helpscout.net",
64-
"storage.googleapis.com",
6564
"d3hb14vkzrxvla.cloudfront.net",
6665
"wss://*.pusher.com",
6766
"*.sumologic.com",

0 commit comments

Comments
 (0)