|
export const CSP_DIRECTIVES = { |
|
defaultSrc: ["'self'", "'unsafe-inline'", |
|
'http://cdn.auth0.com', |
|
'https://cdn.auth0.com', |
|
'https://cdn.eu.auth0.com', |
|
'https://unpkg.com', |
|
'https://storage.googleapis.com', |
|
'https://www.google-analytics.com', |
|
], |
|
styleSrc: ["'self'", "'unsafe-inline'", |
|
'https://ton.twimg.com', |
|
'https://platform.twitter.com', |
|
], |
|
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", |
|
'http://cdn.auth0.com', |
|
'https://cdn.auth0.com', |
|
'https://cdn.eu.auth0.com', |
|
'https://unpkg.com', |
|
'https://storage.googleapis.com', |
|
'http://embed-assets.wakelet.com', |
|
'http://platform.twitter.com', |
|
'https://cdn.syndication.twimg.com', |
|
'https://www.youtube.com', |
|
'https://player.vimeo.com', |
|
'https://www.google-analytics.com', |
|
'https://www.googletagmanager.com', |
|
'https://browser.sentry-cdn.com', |
|
'https://d3js.org', |
|
], |
|
frameSrc: ["'self'", |
|
'http://embed.wakelet.com', |
|
'https://syndication.twitter.com', |
|
'https://platform.twitter.com', |
|
'https://www.youtube.com', |
|
'https://player.vimeo.com' |
|
], |
|
imgSrc: ["'self'", |
|
'https://auth0.com', |
|
'http://cdn.auth0.com', |
|
'https://cdn.auth0.com', |
|
'https://cdn.eu.auth0.com', |
|
'https://pbs.twimg.com', |
|
'https://ton.twimg.com', |
|
'https://platform.twitter.com', |
|
'https://syndication.twitter.com', |
|
'data:', |
|
], |
|
}; |
The CSP policy currently used is not correct.
taxinomitis/src/lib/restapi/config.ts
Lines 43 to 90 in 3d32953
This was brought to light after a recent version update of the
helmetmodule. To avoid breakages, the CSP was switched to report-only as a temporary workaround.taxinomitis/src/lib/restapi/index.ts
Lines 42 to 44 in e665e30
The CSP needs to be fixed so that the enforcement can be re-enabled.