Skip to content

Commit 4df3f2a

Browse files
olyismelle
olyism
authored and
elle
committed
🔒️ Configure CSP
1 parent 97fda44 commit 4df3f2a

File tree

1 file changed

+24
-3
lines changed

1 file changed

+24
-3
lines changed

config/initializers/content_security_policy.rb

Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,11 +21,32 @@
2121
policy.font_src :self, 'https://www2.buildkiteassets.com/'
2222
policy.img_src :self, 'https://buildkiteassets.com/', 'https://buildkite.com/', ENV.fetch('BADGE_DOMAIN', 'https://badge.buildkite.com')
2323
policy.object_src :none
24-
policy.script_src :self, "https://www.googletagmanager.com/"
2524
policy.style_src :self, :unsafe_inline
2625

27-
# allow AJAX queries against our search vendor
28-
policy.connect_src "https://#{ENV['ALGOLIA_APP_ID']}-dsn.algolia.net", "https://#{ENV['ALGOLIA_APP_ID']}-1.algolianet.com", "https://#{ENV['ALGOLIA_APP_ID']}-2.algolianet.com", "https://#{ENV['ALGOLIA_APP_ID']}-3.algolianet.com", "https://www.google-analytics.com/"
26+
policy.script_src(
27+
:self,
28+
'https://www.googletagmanager.com/',
29+
30+
# Allow Segment's Analytics.js 2.0
31+
# https://segment.com/docs/connections/sources/catalog/libraries/website/javascript/upgrade-to-ajs2/#using-a-strict-content-security-policy-on-the-page
32+
"https://cdn.segment.com/analytics.js/v1/q0LtPl49tgnyHHY8PGBsPsshHk9AVNKm/analytics.min.js", # production
33+
"https://cdn.segment.com/analytics.js/v1/EuoLh8Z8RQR0GXhCWz3H0ddTSIV4ysJv/analytics.min.js", # development
34+
"https://cdn.segment.com/analytics-next/bundles/",
35+
"https://cdn.segment.com/next-integrations/integrations/"
36+
)
37+
38+
policy.connect_src(
39+
# allow AJAX queries against our search vendor
40+
"https://#{ENV['ALGOLIA_APP_ID']}-dsn.algolia.net",
41+
"https://#{ENV['ALGOLIA_APP_ID']}-1.algolianet.com",
42+
"https://#{ENV['ALGOLIA_APP_ID']}-2.algolianet.com",
43+
"https://#{ENV['ALGOLIA_APP_ID']}-3.algolianet.com",
44+
45+
# Allow Segment's Analytics.js 2.0
46+
# https://segment.com/docs/connections/sources/catalog/libraries/website/javascript/upgrade-to-ajs2/#using-a-strict-content-security-policy-on-the-page
47+
"https://cdn.segment.com/v1/projects/q0LtPl49tgnyHHY8PGBsPsshHk9AVNKm/settings", # production
48+
"https://cdn.segment.com/v1/projects/EuoLh8Z8RQR0GXhCWz3H0ddTSIV4ysJv/settings" # development
49+
)
2950

3051
# Specify URI for violation reports
3152
policy.report_uri "/_csp-violation-reports"

0 commit comments

Comments
 (0)