ember/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Fiddle with CSP stuff

Browse source
This commit is contained in:
Jade Ellis 2024-11-24 03:24:32 +00:00
parent bee92f3b5a
commit 6ad864c4a1
No known key found for this signature in database
GPG key ID: 8705A2A3EBF77BD2
1 changed files with 19 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
packages/website/csp.js
View file

@ -1,32 +1,35 @@
const rootDomain = process.env.VITE_DOMAIN; // or your server IP for dev
import { SENTRY_HOST } from './src/lib/config.js';
import { SENTRY_REPORT_URL } from './src/lib/config.js';
const self = "'self'";
const none = "'none'";
/**
* @type {import("@sveltejs/kit").CspDirectives}
*/
const cspDirectives = {
'base-uri': ["self"],
'child-src': ["self", "blob:"],
'connect-src': ["self", "https://*.google-analytics.com", "https://" + SENTRY_HOST],
// 'connect-src': ["self", 'ws://localhost:*', 'https://hcaptcha.com', 'https://*.hcaptcha.com'],
'img-src': ["self", 'data:',
'base-uri': [self],
'child-src': [self, "blob:"],
'connect-src': [self, "https://*.google-analytics.com", "https://" + SENTRY_HOST],
// 'connect-src': [self, 'ws://localhost:*', 'https://hcaptcha.com', 'https://*.hcaptcha.com'],
'img-src': [self, 'data:',
'https://*.googletagmanager.com'],
'font-src': ["self", 'data:'],
'form-action': ["self"],
'frame-ancestors': ["self"],
'font-src': [self, 'data:'],
'form-action': [self],
'frame-ancestors': [self],
'frame-src': [
"self",
self,
// "https://*.stripe.com",
// "https://*.facebook.com",
// "https://*.facebook.net",
// 'https://hcaptcha.com',
// 'https://*.hcaptcha.com',
],
'manifest-src': ["self"],
'media-src': ["self", 'data:'],
'object-src': ["none"],
'style-src': ["self", "unsafe-inline"],
// 'style-src': ["self", "'unsafe-inline'", 'https://hcaptcha.com', 'https://*.hcaptcha.com'],
'manifest-src': [self],
'media-src': [self, 'data:'],
'object-src': [none],
'style-src': [self, "unsafe-inline"],
// 'style-src': [self, "'unsafe-inline'", 'https://hcaptcha.com', 'https://*.hcaptcha.com'],
'default-src': [
'self',
...(rootDomain ? [rootDomain, `ws://${rootDomain}`] : []),
@ -42,7 +45,7 @@ const cspDirectives = {
// 'https://*.sentry.io',
],
'script-src': [
"self",
self,
"unsafe-inline", // chrome suggestion
'https://*.googletagmanager.com'
// 'https://*.stripe.com',
@ -53,7 +56,7 @@ const cspDirectives = {
// 'https://*.sentry.io',
// 'https://polyfill.io',
],
'worker-src': ["self", "blob:"],
'worker-src': [self, "blob:"],
// remove report-to & report-uri if you do not want to use Sentry reporting
'report-to': ["csp-endpoint"],
'report-uri': [