From 9713ad3d8f21e2fa6837b49648224c181027b120 Mon Sep 17 00:00:00 2001 From: Yassine Rais Date: Mon, 14 Mar 2022 15:24:39 +0100 Subject: [PATCH] csp - markdown editor - google analy --- entrypoint.sh | 4 ++-- nginx.conf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 7f97508..8069b7f 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -50,8 +50,8 @@ else sed -i "s/$HEAD_TAG/$GA_TAG\n$HEAD_TAG/g" $INDEX_HTML_FILE - sed -i "s~script-src~script-src https://www.google-analytics.com https://ssl.google-analytics.com -~g" $NGINX_CONF_FILE + sed -i "s~script-src~script-src https://www.google-analytics.com https://ssl.google-analytics.com~g" $NGINX_CONF_FILE + sed -i "s~script-src-elem~script-src-elem https://www.google-analytics.com~g" $NGINX_CONF_FILE sed -i "s~img-src~img-src https://www.google-analytics.com~g" $NGINX_CONF_FILE sed -i "s~connect-src~connect-src https://www.google-analytics.com~g" $NGINX_CONF_FILE fi diff --git a/nginx.conf b/nginx.conf index 9c625d3..2c5f9f9 100644 --- a/nginx.conf +++ b/nginx.conf @@ -18,7 +18,7 @@ server { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; # TODO: generate nonce for vue js assets & remove unsafe-inline - add_header Content-Security-Policy "default-src 'self'; font-src *; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; object-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' https://cdnjs.cloudflare.com/ data:; connect-src 'self' cdnjs.cloudflare.com;"; + add_header Content-Security-Policy "default-src 'self'; font-src *; script-src 'unsafe-eval' 'unsafe-inline' 'self'; script-src-elem 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com cdn.jsdelivr.net cdn.jsdelivr.net; object-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' https://cdnjs.cloudflare.com/ data:; connect-src 'self' cdnjs.cloudflare.com;"; location / { try_files $uri $uri/ @rewrites;