From 2373dab2212ab890fc8cbafa49d5ba4fa7c7d249 Mon Sep 17 00:00:00 2001 From: Manav Date: Fri, 6 Jan 2023 19:18:22 +0530 Subject: [PATCH] Add the URL of the secondary hot storage in the CSP whitelist Tested by: making this change, and connecting to Phoenix museum (which serves the secondary hot storage), and verifying that the CSP policy reports that were getting logged to console no longer appear. --- configUtil.js | 2 +- public/_headers | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/configUtil.js b/configUtil.js index c248fc377..65234c2cf 100644 --- a/configUtil.js +++ b/configUtil.js @@ -26,7 +26,7 @@ module.exports = { 'style-src': "'self' 'unsafe-inline'", 'font-src ': "'self'; script-src 'self' 'unsafe-eval' blob:", 'connect-src': - "'self' https://*.ente.io http://localhost:8080 data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com ", + "'self' https://*.ente.io http://localhost:8080 data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com https://ente-prod-v3.s3.eu-central-2.wasabisys.com/", 'base-uri ': "'self'", // to allow worker 'child-src': "'self' blob:", diff --git a/public/_headers b/public/_headers index 388d4038c..caa299ea2 100644 --- a/public/_headers +++ b/public/_headers @@ -8,5 +8,5 @@ X-Frame-Options: deny X-XSS-Protection: 1; mode=block Referrer-Policy: same-origin - Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' blob: data:; media-src 'self' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' 'unsafe-eval' blob:; manifest-src 'self'; child-src 'self' blob:; object-src 'none'; connect-src 'self' https://*.ente.io data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com ; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; report-uri https://csp-reporter.ente.io; report-to https://csp-reporter.ente.io; + Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' blob: data:; media-src 'self' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' 'unsafe-eval' blob:; manifest-src 'self'; child-src 'self' blob:; object-src 'none'; connect-src 'self' https://*.ente.io data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com https://ente-prod-v3.s3.eu-central-2.wasabisys.com/ ; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; report-uri https://csp-reporter.ente.io; report-to https://csp-reporter.ente.io;