From 7fabb57ac254b269996818fbb5ef7462f68debf2 Mon Sep 17 00:00:00 2001 From: Abhishek Date: Wed, 17 Aug 2022 17:33:44 +1200 Subject: [PATCH 1/4] CSP fix --- netlify.toml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/netlify.toml b/netlify.toml index 0256a635c..c3e8324d8 100644 --- a/netlify.toml +++ b/netlify.toml @@ -1,3 +1,13 @@ [build] publish = "build" -command = "yarn build" \ No newline at end of file +command = "yarn build" + +[[headers]] + for = "/*" + [headers.values] + Referrer-Policy = "same-origin" + X-Content-Type-Options = "nosniff" + X-Frame-Options = "DENY" + X-XSS-Protection = "1; mode=block" + Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload" + Content-Security-Policy = "default-src 'self' *.infura.io; child-src 'self' app.netlify.com; script-src 'self' app.netlify.com netlify-cdp-loader.netlify.app;" \ No newline at end of file From 0e80c3792369b857115942355e1aed07bcc1b0d4 Mon Sep 17 00:00:00 2001 From: Abhishek Date: Wed, 17 Aug 2022 17:49:14 +1200 Subject: [PATCH 2/4] Remove Default-src --- netlify.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netlify.toml b/netlify.toml index c3e8324d8..89709b0d3 100644 --- a/netlify.toml +++ b/netlify.toml @@ -10,4 +10,4 @@ command = "yarn build" X-Frame-Options = "DENY" X-XSS-Protection = "1; mode=block" Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload" - Content-Security-Policy = "default-src 'self' *.infura.io; child-src 'self' app.netlify.com; script-src 'self' app.netlify.com netlify-cdp-loader.netlify.app;" \ No newline at end of file + Content-Security-Policy = "child-src 'self' app.netlify.com; script-src 'self' app.netlify.com netlify-cdp-loader.netlify.app;" \ No newline at end of file From 79a2736f7b16d4dac812bce693b0499a406b3f9f Mon Sep 17 00:00:00 2001 From: Abhishek Date: Wed, 17 Aug 2022 18:06:33 +1200 Subject: [PATCH 3/4] Added more properties --- netlify.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netlify.toml b/netlify.toml index 89709b0d3..3d472db41 100644 --- a/netlify.toml +++ b/netlify.toml @@ -10,4 +10,4 @@ command = "yarn build" X-Frame-Options = "DENY" X-XSS-Protection = "1; mode=block" Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload" - Content-Security-Policy = "child-src 'self' app.netlify.com; script-src 'self' app.netlify.com netlify-cdp-loader.netlify.app;" \ No newline at end of file + Content-Security-Policy = "default-src 'none'; child-src 'self' app.netlify.com; script-src 'self' app.netlify.com netlify-cdp-loader.netlify.app; connect-src 'self'; img-src 'self'; style-src 'self'; font-src 'self';" \ No newline at end of file From 9da3ff7f9a6024e48171475561628cf885f82f96 Mon Sep 17 00:00:00 2001 From: Abhishek Date: Wed, 17 Aug 2022 18:35:01 +1200 Subject: [PATCH 4/4] Try CSP again --- netlify.toml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/netlify.toml b/netlify.toml index 3d472db41..53882d98e 100644 --- a/netlify.toml +++ b/netlify.toml @@ -10,4 +10,14 @@ command = "yarn build" X-Frame-Options = "DENY" X-XSS-Protection = "1; mode=block" Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload" - Content-Security-Policy = "default-src 'none'; child-src 'self' app.netlify.com; script-src 'self' app.netlify.com netlify-cdp-loader.netlify.app; connect-src 'self'; img-src 'self'; style-src 'self'; font-src 'self';" \ No newline at end of file + Content-Security-Policy = ''' + default-src 'none', + child-src 'self' app.netlify.com, + script-src 'self' app.netlify.com netlify-cdp-loader.netlify.app, + connect-src 'self', + img-src 'self', + style-src 'self', + font-src 'self' ''' + + +