Make CSP one liners (#1986)

bcgov · Aug 10, 2023 · 5799a8f · 5799a8f
1 parent 8182008
commit 5799a8f
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 47 deletions.
diff --git a/met-web/nginx/nginx.dev.conf b/met-web/nginx/nginx.dev.conf
@@ -41,27 +41,14 @@ http {
 
   # add in most common security headers
   add_header Content-Security-Policy "
-    default-src 'self' https://kit.fontawesome.com https://ka-f.fontawesome.com data: blob: filesystem:
-        'unsafe-inline' 'unsafe-eval'; 
-    script-src 'self' 'sha256-JXGej4mPACbE/fP5kuunldJEyMk62sNjNe85DtAcMoU=' https://kit.fontawesome.com
-        https://ka-f.fontawesome.com https://www2.gov.bc.ca https://cdn.form.io https://api.mapbox.com
-        https://www.youtube.com https://player.vimeo.com 'unsafe-eval';
+    default-src 'self' https://kit.fontawesome.com https://ka-f.fontawesome.com data: blob: filesystem: 'unsafe-inline' 'unsafe-eval';
+    script-src 'self' 'sha256-JXGej4mPACbE/fP5kuunldJEyMk62sNjNe85DtAcMoU=' https://kit.fontawesome.com https://ka-f.fontawesome.com https://www2.gov.bc.ca https://cdn.form.io https://api.mapbox.com https://www.youtube.com https://player.vimeo.com 'unsafe-eval';
     worker-src 'self' blob:;
     img-src 'self' data: blob: https://citz-gdx.objectstore.gov.bc.ca;
     style-src 'self' 'unsafe-inline';
-    connect-src 'self' https://spt.apps.gov.bc.ca/com.snowplowanalytics.snowplow/tp2
-        https://epic-engage-analytics-api-dev.apps.gold.devops.gov.bc.ca
-        https://met-analytics-api-dev.apps.gold.devops.gov.bc.ca
-        https://epic-engage-oidc-dev.apps.gold.devops.gov.bc.ca
-        https://met-oidc-dev.apps.gold.devops.gov.bc.ca https://kit.fontawesome.com https://ka-f.fontawesome.com
-        https://citz-gdx.objectstore.gov.bc.ca https://api.mapbox.com https://governmentofbc.maps.arcgis.com
-        https://tiles.arcgis.com https://www.arcgis.com;
-    frame-src 'self' https://met-oidc-dev.apps.gold.devops.gov.bc.ca
-        https://epic-engage-analytics-api-dev.apps.gold.devops.gov.bc.ca
-        https://epic-engage-oidc-dev.apps.gold.devops.gov.bc.ca https://met-analytics-dev.apps.gold.devops.gov.bc.ca
-        https://www.youtube.com https://player.vimeo.com;
-    frame-ancestors 'self' https://met-oidc-dev.apps.gold.devops.gov.bc.ca
-        https://epic-engage-oidc-dev.apps.gold.devops.gov.bc.ca";
+    connect-src 'self' https://spt.apps.gov.bc.ca/com.snowplowanalytics.snowplow/tp2 https://epic-engage-analytics-api-dev.apps.gold.devops.gov.bc.ca https://met-analytics-api-dev.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-dev.apps.gold.devops.gov.bc.ca https://met-oidc-dev.apps.gold.devops.gov.bc.ca https://kit.fontawesome.com https://ka-f.fontawesome.com https://citz-gdx.objectstore.gov.bc.ca https://api.mapbox.com https://governmentofbc.maps.arcgis.com https://tiles.arcgis.com https://www.arcgis.com;
+    frame-src 'self' https://met-oidc-dev.apps.gold.devops.gov.bc.ca https://epic-engage-analytics-api-dev.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-dev.apps.gold.devops.gov.bc.ca https://met-analytics-dev.apps.gold.devops.gov.bc.ca https://www.youtube.com https://player.vimeo.com;
+    frame-ancestors 'self' https://met-oidc-dev.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-dev.apps.gold.devops.gov.bc.ca";
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
     add_header X-Content-Type-Options "nosniff";
     add_header X-XSS-Protection 1;

diff --git a/met-web/nginx/nginx.prod.conf b/met-web/nginx/nginx.prod.conf
@@ -41,21 +41,13 @@ http {
 
     # add in most common security headers
     add_header Content-Security-Policy "
-      default-src 'self' https://kit.fontawesome.com https://ka-f.fontawesome.com data: blob: filesystem:
-          'unsafe-inline' 'unsafe-eval'; 
-      script-src 'self' 'sha256-JXGej4mPACbE/fP5kuunldJEyMk62sNjNe85DtAcMoU=' https://kit.fontawesome.com
-          https://ka-f.fontawesome.com https://www2.gov.bc.ca https://cdn.form.io https://api.mapbox.com
-          https://www.youtube.com https://player.vimeo.com 'unsafe-eval';
+      default-src 'self' https://kit.fontawesome.com https://ka-f.fontawesome.com data: blob: filesystem: 'unsafe-inline' 'unsafe-eval';
+      script-src 'self' 'sha256-JXGej4mPACbE/fP5kuunldJEyMk62sNjNe85DtAcMoU=' https://kit.fontawesome.com https://ka-f.fontawesome.com https://www2.gov.bc.ca https://cdn.form.io https://api.mapbox.com https://www.youtube.com https://player.vimeo.com 'unsafe-eval';
       worker-src 'self' blob:;
       img-src 'self' data: blob: https://citz-gdx.objectstore.gov.bc.ca;
       style-src 'self' 'unsafe-inline';
-      connect-src 'self' https://spt.apps.gov.bc.ca/com.snowplowanalytics.snowplow/tp2
-          https://met-analytics-api.apps.gold.devops.gov.bc.ca
-          https://met-oidc.apps.gold.devops.gov.bc.ca https://kit.fontawesome.com https://ka-f.fontawesome.com
-          https://citz-gdx.objectstore.gov.bc.ca https://api.mapbox.com https://governmentofbc.maps.arcgis.com
-          https://tiles.arcgis.com https://www.arcgis.com;
-      frame-src 'self' https://met-oidc.apps.gold.devops.gov.bc.ca
-          https://met-analytics.apps.gold.devops.gov.bc.ca https://www.youtube.com https://player.vimeo.com;
+      connect-src 'self' https://spt.apps.gov.bc.ca/com.snowplowanalytics.snowplow/tp2 https://met-analytics-api.apps.gold.devops.gov.bc.ca https://met-oidc.apps.gold.devops.gov.bc.ca https://kit.fontawesome.com https://ka-f.fontawesome.com https://citz-gdx.objectstore.gov.bc.ca https://api.mapbox.com https://governmentofbc.maps.arcgis.com https://tiles.arcgis.com https://www.arcgis.com;
+      frame-src 'self' https://met-oidc.apps.gold.devops.gov.bc.ca https://met-analytics.apps.gold.devops.gov.bc.ca https://www.youtube.com https://player.vimeo.com;
       frame-ancestors 'self' https://met-oidc.apps.gold.devops.gov.bc.ca";
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
     add_header X-Content-Type-Options "nosniff";

diff --git a/met-web/nginx/nginx.test.conf b/met-web/nginx/nginx.test.conf
@@ -41,26 +41,14 @@ http {
 
     # add in most common security headers
     add_header Content-Security-Policy "
-      default-src 'self' https://kit.fontawesome.com https://ka-f.fontawesome.com data: blob: filesystem:
-          'unsafe-inline' 'unsafe-eval'; 
-      script-src 'self' 'sha256-JXGej4mPACbE/fP5kuunldJEyMk62sNjNe85DtAcMoU=' https://kit.fontawesome.com
-          https://ka-f.fontawesome.com https://www2.gov.bc.ca https://cdn.form.io https://api.mapbox.com
-          https://www.youtube.com https://player.vimeo.com 'unsafe-eval';
+      default-src 'self' https://kit.fontawesome.com https://ka-f.fontawesome.com data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; 
+      script-src 'self' 'sha256-JXGej4mPACbE/fP5kuunldJEyMk62sNjNe85DtAcMoU=' https://kit.fontawesome.com https://ka-f.fontawesome.com https://www2.gov.bc.ca https://cdn.form.io https://api.mapbox.com https://www.youtube.com https://player.vimeo.com 'unsafe-eval';
       worker-src 'self' blob:;
       img-src 'self' data: blob: https://citz-gdx.objectstore.gov.bc.ca;
       style-src 'self' 'unsafe-inline';
-      connect-src 'self' https://spt.apps.gov.bc.ca/com.snowplowanalytics.snowplow/tp2
-          https://epic-engage-analytics-api-test.apps.gold.devops.gov.bc.ca
-          https://epic-engage-oidc-test.apps.gold.devops.gov.bc.ca
-          https://met-analytics-api-test.apps.gold.devops.gov.bc.ca
-          https://met-oidc-test.apps.gold.devops.gov.bc.ca https://kit.fontawesome.com https://ka-f.fontawesome.com
-          https://citz-gdx.objectstore.gov.bc.ca https://api.mapbox.com https://governmentofbc.maps.arcgis.com
-          https://tiles.arcgis.com https://www.arcgis.com;
-      frame-src 'self' https://met-oidc-test.apps.gold.devops.gov.bc.ca
-          https://epic-engage-oidc-test.apps.gold.devops.gov.bc.ca https://epic-engage-analytics-api-test.apps.gold.devops.gov.bc.ca
-          https://met-analytics-test.apps.gold.devops.gov.bc.ca https://www.youtube.com https://player.vimeo.com;
-      frame-ancestors 'self' https://met-oidc-test.apps.gold.devops.gov.bc.ca
-          https://epic-engage-oidc-test.apps.gold.devops.gov.bc.ca";
+      connect-src 'self' https://spt.apps.gov.bc.ca/com.snowplowanalytics.snowplow/tp2 https://epic-engage-analytics-api-test.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-test.apps.gold.devops.gov.bc.ca https://met-analytics-api-test.apps.gold.devops.gov.bc.ca https://met-oidc-test.apps.gold.devops.gov.bc.ca https://kit.fontawesome.com https://ka-f.fontawesome.com https://citz-gdx.objectstore.gov.bc.ca https://api.mapbox.com https://governmentofbc.maps.arcgis.com https://tiles.arcgis.com https://www.arcgis.com;
+      frame-src 'self' https://met-oidc-test.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-test.apps.gold.devops.gov.bc.ca https://epic-engage-analytics-api-test.apps.gold.devops.gov.bc.ca https://met-analytics-test.apps.gold.devops.gov.bc.ca https://www.youtube.com https://player.vimeo.com;
+      frame-ancestors 'self' https://met-oidc-test.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-test.apps.gold.devops.gov.bc.ca";
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
     add_header X-Content-Type-Options "nosniff";
     add_header X-XSS-Protection 1;