0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-30 20:33:54 -05:00

refactor: update CSP

This commit is contained in:
Gao Sun 2023-05-25 19:04:32 +08:00
parent 46746f8285
commit ef6b1f4e66
No known key found for this signature in database
GPG key ID: 13EBE123E4773688
2 changed files with 4 additions and 1 deletions

View file

@ -65,6 +65,7 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
const basicSecurityHeaderSettings: HelmetOptions = {
contentSecurityPolicy: false, // Exclusively set for console app only
crossOriginEmbedderPolicy: { policy: 'credentialless' },
expectCt: false, // Not recommended, will be deprecated by modern browsers
dnsPrefetchControl: false,
referrerPolicy: {
@ -93,7 +94,7 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
directives: {
'upgrade-insecure-requests': null,
imgSrc: ["'self'", 'data:', 'https:'],
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'", ...gtagOrigins],
scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"],
connectSrc: [
"'self'",
...adminOrigins,
@ -101,6 +102,7 @@ export default function withSecurityHeaders<InputContext extends RequestContext>
...urlSetOrigins,
...developmentOrigins,
...appInsightsOrigins,
...gtagOrigins,
],
frameSrc: ["'self'", ...urlSetOrigins, ...adminOrigins],
},

View file

@ -85,6 +85,7 @@ function App() {
{shouldReportToGtag && (
<script
async
crossOrigin="anonymous"
src={`https://www.googletagmanager.com/gtag/js?id=${gtagAwTrackingId}`}
/>
)}