Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix: add csp settings #383

Merged
merged 1 commit into from
Nov 1, 2022
Merged

fix: add csp settings #383

merged 1 commit into from
Nov 1, 2022

Conversation

lazysoundsystem
Copy link
Contributor

Refs: HID-2354

This adds CSP exceptions we include in the Drupal sites - but not the 'unsafe-inline' exception - which may be covered by the hash which is included already. Needs testing.

@lazysoundsystem lazysoundsystem merged commit d5e00d8 into dev Nov 1, 2022
@lazysoundsystem lazysoundsystem deleted the HID-2354-csp-settings branch November 1, 2022 11:31
rupl
rupl reviewed Nov 7, 2022
View reviewed changes
config/web.js
@@ -175,14 +176,18 @@ module.exports = {
// Google reCAPTCHA v2: scripts to load UI. See frameSrc.
'https://www.google.com',
'https://www.gstatic.com',
'www.googletagmanager.com',
// These hashes are for GA and our inline JS+feature detection.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My browser requested that another SHA be added to allow GTM inline script to execute:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://www.google-analytics.com data: https://www.google.com https://www.gstatic.com www.googletagmanager.com 'sha256-zITkoAg4eI1v3VSFI+ATEQKWvoymQcxmFNojptzmlNw=' 'sha256-Ch69wX3la/uD7qfUZRHgam3hofEvI6fesgFgtvG9rTM=' 'nonce-07d68ed120e378e0c1566480028c2145'". Either the 'unsafe-inline' keyword, a hash ('sha256-g62AIFyyvfvqRMhNu7QMQ0GMk0Rx+Bbk1KzTy+CzTCI=')

The hash is the convention we've been using so I'll make a follow-up PR to include it.

rupl added a commit that referenced this pull request Nov 7, 2022
@rupl
fix: allow new GTM inline script
11d9f4d 
Refs: HID-2354, #383
rupl added a commit that referenced this pull request Nov 7, 2022
@rupl
fix: allow new GTM inline script
161324e 
Refs: HID-2354, #383
@rupl rupl mentioned this pull request Nov 7, 2022
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@rupl rupl rupl left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lazysoundsystem @rupl