mirror of
https://github.com/logto-io/logto.git
synced 2024-12-30 20:33:54 -05:00
refactor: update CSP
This commit is contained in:
parent
46746f8285
commit
ef6b1f4e66
2 changed files with 4 additions and 1 deletions
|
@ -65,6 +65,7 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
|
|||
|
||||
const basicSecurityHeaderSettings: HelmetOptions = {
|
||||
contentSecurityPolicy: false, // Exclusively set for console app only
|
||||
crossOriginEmbedderPolicy: { policy: 'credentialless' },
|
||||
expectCt: false, // Not recommended, will be deprecated by modern browsers
|
||||
dnsPrefetchControl: false,
|
||||
referrerPolicy: {
|
||||
|
@ -93,7 +94,7 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
|
|||
directives: {
|
||||
'upgrade-insecure-requests': null,
|
||||
imgSrc: ["'self'", 'data:', 'https:'],
|
||||
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'", ...gtagOrigins],
|
||||
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
|
||||
connectSrc: [
|
||||
"'self'",
|
||||
...adminOrigins,
|
||||
|
@ -101,6 +102,7 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
|
|||
...urlSetOrigins,
|
||||
...developmentOrigins,
|
||||
...appInsightsOrigins,
|
||||
...gtagOrigins,
|
||||
],
|
||||
frameSrc: ["'self'", ...urlSetOrigins, ...adminOrigins],
|
||||
},
|
||||
|
|
|
@ -85,6 +85,7 @@ function App() {
|
|||
{shouldReportToGtag && (
|
||||
<script
|
||||
async
|
||||
crossOrigin="anonymous"
|
||||
src={`https://www.googletagmanager.com/gtag/js?id=${gtagAwTrackingId}`}
|
||||
/>
|
||||
)}
|
||||
|
|
Loading…
Reference in a new issue