From 6ad864c4a1b459bc867bd48317bf07dec41bf8a8 Mon Sep 17 00:00:00 2001
From: Jade Ellis <jade@ellis.link>
Date: Sun, 24 Nov 2024 03:24:32 +0000
Subject: [PATCH] Fiddle with CSP stuff

---
 packages/website/csp.js | 35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/packages/website/csp.js b/packages/website/csp.js
index a3591438..e668c2b4 100644
--- a/packages/website/csp.js
+++ b/packages/website/csp.js
@@ -1,32 +1,35 @@
 const rootDomain = process.env.VITE_DOMAIN; // or your server IP for dev
 import { SENTRY_HOST } from './src/lib/config.js';
 import { SENTRY_REPORT_URL } from './src/lib/config.js';
+
+const self = "'self'";
+const none = "'none'";
 /**
  * @type {import("@sveltejs/kit").CspDirectives}
  */
 const cspDirectives = {
-    'base-uri': ["self"],
-    'child-src': ["self", "blob:"],
-    'connect-src': ["self", "https://*.google-analytics.com", "https://" + SENTRY_HOST],
-    // 'connect-src': ["self", 'ws://localhost:*', 'https://hcaptcha.com', 'https://*.hcaptcha.com'],
-    'img-src': ["self", 'data:',
+    'base-uri': [self],
+    'child-src': [self, "blob:"],
+    'connect-src': [self, "https://*.google-analytics.com", "https://" + SENTRY_HOST],
+    // 'connect-src': [self, 'ws://localhost:*', 'https://hcaptcha.com', 'https://*.hcaptcha.com'],
+    'img-src': [self, 'data:',
         'https://*.googletagmanager.com'],
-    'font-src': ["self", 'data:'],
-    'form-action': ["self"],
-    'frame-ancestors': ["self"],
+    'font-src': [self, 'data:'],
+    'form-action': [self],
+    'frame-ancestors': [self],
     'frame-src': [
-        "self",
+        self,
         // "https://*.stripe.com",
         // "https://*.facebook.com",
         // "https://*.facebook.net",
         // 'https://hcaptcha.com',
         // 'https://*.hcaptcha.com',
     ],
-    'manifest-src': ["self"],
-    'media-src': ["self", 'data:'],
-    'object-src': ["none"],
-    'style-src': ["self", "unsafe-inline"],
-    // 'style-src': ["self", "'unsafe-inline'", 'https://hcaptcha.com', 'https://*.hcaptcha.com'],
+    'manifest-src': [self],
+    'media-src': [self, 'data:'],
+    'object-src': [none],
+    'style-src': [self, "unsafe-inline"],
+    // 'style-src': [self, "'unsafe-inline'", 'https://hcaptcha.com', 'https://*.hcaptcha.com'],
     'default-src': [
         'self',
         ...(rootDomain ? [rootDomain, `ws://${rootDomain}`] : []),
@@ -42,7 +45,7 @@ const cspDirectives = {
         // 'https://*.sentry.io',
     ],
     'script-src': [
-        "self",
+        self,
         "unsafe-inline", // chrome suggestion
         'https://*.googletagmanager.com'
         // 'https://*.stripe.com',
@@ -53,7 +56,7 @@ const cspDirectives = {
         // 'https://*.sentry.io',
         // 'https://polyfill.io',
     ],
-    'worker-src': ["self", "blob:"],
+    'worker-src': [self, "blob:"],
     // remove report-to & report-uri if you do not want to use Sentry reporting
     'report-to': ["csp-endpoint"],
     'report-uri': [