CSP: remove a bunch of unused mozilla-only domains and FXA domains

This commit is contained in:
io mintz 2020-11-13 22:24:38 +00:00
parent d305e7fd57
commit 44c03e355f

View File

@ -36,19 +36,10 @@ module.exports = function(app) {
defaultSrc: ["'self'"], defaultSrc: ["'self'"],
connectSrc: [ connectSrc: [
"'self'", "'self'",
'wss://*.dev.lcip.org',
'wss://*.send.nonprod.cloudops.mozgcp.net',
config.base_url.replace(/^https:\/\//, 'wss://'), config.base_url.replace(/^https:\/\//, 'wss://'),
'https://*.dev.lcip.org',
'https://accounts.firefox.com',
'https://*.accounts.firefox.com',
'https://sentry.prod.mozaws.net'
], ],
imgSrc: [ imgSrc: [
"'self'", "'self'",
'https://*.dev.lcip.org',
'https://firefoxusercontent.com',
'https://secure.gravatar.com'
], ],
scriptSrc: [ scriptSrc: [
"'self'", "'self'",
@ -66,18 +57,6 @@ module.exports = function(app) {
csp.directives.connectSrc.push( csp.directives.connectSrc.push(
config.base_url.replace(/^https:\/\//, 'wss://') config.base_url.replace(/^https:\/\//, 'wss://')
); );
if (config.fxa_csp_oauth_url != '') {
csp.directives.connectSrc.push(config.fxa_csp_oauth_url);
}
if (config.fxa_csp_content_url != '') {
csp.directives.connectSrc.push(config.fxa_csp_content_url);
}
if (config.fxa_csp_profile_url != '') {
csp.directives.connectSrc.push(config.fxa_csp_profile_url);
}
if (config.fxa_csp_profileimage_url != '') {
csp.directives.imgSrc.push(config.fxa_csp_profileimage_url);
}
app.use(helmet.contentSecurityPolicy(csp)); app.use(helmet.contentSecurityPolicy(csp));
} }