CSP: remove a bunch of unused mozilla-only domains and FXA domains
This commit is contained in:
parent
d305e7fd57
commit
44c03e355f
|
@ -36,19 +36,10 @@ module.exports = function(app) {
|
||||||
defaultSrc: ["'self'"],
|
defaultSrc: ["'self'"],
|
||||||
connectSrc: [
|
connectSrc: [
|
||||||
"'self'",
|
"'self'",
|
||||||
'wss://*.dev.lcip.org',
|
|
||||||
'wss://*.send.nonprod.cloudops.mozgcp.net',
|
|
||||||
config.base_url.replace(/^https:\/\//, 'wss://'),
|
config.base_url.replace(/^https:\/\//, 'wss://'),
|
||||||
'https://*.dev.lcip.org',
|
|
||||||
'https://accounts.firefox.com',
|
|
||||||
'https://*.accounts.firefox.com',
|
|
||||||
'https://sentry.prod.mozaws.net'
|
|
||||||
],
|
],
|
||||||
imgSrc: [
|
imgSrc: [
|
||||||
"'self'",
|
"'self'",
|
||||||
'https://*.dev.lcip.org',
|
|
||||||
'https://firefoxusercontent.com',
|
|
||||||
'https://secure.gravatar.com'
|
|
||||||
],
|
],
|
||||||
scriptSrc: [
|
scriptSrc: [
|
||||||
"'self'",
|
"'self'",
|
||||||
|
@ -66,18 +57,6 @@ module.exports = function(app) {
|
||||||
csp.directives.connectSrc.push(
|
csp.directives.connectSrc.push(
|
||||||
config.base_url.replace(/^https:\/\//, 'wss://')
|
config.base_url.replace(/^https:\/\//, 'wss://')
|
||||||
);
|
);
|
||||||
if (config.fxa_csp_oauth_url != '') {
|
|
||||||
csp.directives.connectSrc.push(config.fxa_csp_oauth_url);
|
|
||||||
}
|
|
||||||
if (config.fxa_csp_content_url != '') {
|
|
||||||
csp.directives.connectSrc.push(config.fxa_csp_content_url);
|
|
||||||
}
|
|
||||||
if (config.fxa_csp_profile_url != '') {
|
|
||||||
csp.directives.connectSrc.push(config.fxa_csp_profile_url);
|
|
||||||
}
|
|
||||||
if (config.fxa_csp_profileimage_url != '') {
|
|
||||||
csp.directives.imgSrc.push(config.fxa_csp_profileimage_url);
|
|
||||||
}
|
|
||||||
|
|
||||||
app.use(helmet.contentSecurityPolicy(csp));
|
app.use(helmet.contentSecurityPolicy(csp));
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue