From ef6b1f4e66559ce3dea7def991f275049125ced4 Mon Sep 17 00:00:00 2001 From: Gao Sun Date: Thu, 25 May 2023 19:04:32 +0800 Subject: [PATCH] refactor: update CSP --- packages/cloud/src/middleware/with-security-headers.ts | 4 +++- packages/console/src/onboarding/App.tsx | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/packages/cloud/src/middleware/with-security-headers.ts b/packages/cloud/src/middleware/with-security-headers.ts index 94e4c131d..9a8b82a02 100644 --- a/packages/cloud/src/middleware/with-security-headers.ts +++ b/packages/cloud/src/middleware/with-security-headers.ts @@ -65,6 +65,7 @@ export default function withSecurityHeaders const basicSecurityHeaderSettings: HelmetOptions = { contentSecurityPolicy: false, // Exclusively set for console app only + crossOriginEmbedderPolicy: { policy: 'credentialless' }, expectCt: false, // Not recommended, will be deprecated by modern browsers dnsPrefetchControl: false, referrerPolicy: { @@ -93,7 +94,7 @@ export default function withSecurityHeaders directives: { 'upgrade-insecure-requests': null, imgSrc: ["'self'", 'data:', 'https:'], - scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'", ...gtagOrigins], + scriptSrc: ["'self'", "'unsafe-eval'", "'unsafe-inline'"], connectSrc: [ "'self'", ...adminOrigins, @@ -101,6 +102,7 @@ export default function withSecurityHeaders ...urlSetOrigins, ...developmentOrigins, ...appInsightsOrigins, + ...gtagOrigins, ], frameSrc: ["'self'", ...urlSetOrigins, ...adminOrigins], }, diff --git a/packages/console/src/onboarding/App.tsx b/packages/console/src/onboarding/App.tsx index 471332e47..94dfed3e2 100644 --- a/packages/console/src/onboarding/App.tsx +++ b/packages/console/src/onboarding/App.tsx @@ -85,6 +85,7 @@ function App() { {shouldReportToGtag && (