netlify.toml

# This should be used for docs also
[[headers]]
  for = "/*"
  [headers.values]
    Content-Security-Policy = """\
      default-src 'self'; \
      script-src 'self' https: 'unsafe-inline' 'unsafe-eval' *.usepylon.com *.posthog.com *.pusher.com; \
      style-src https: 'unsafe-inline'; \
      img-src https: data: blob:; \
      frame-src 'self' https://www.youtube.com/ https://www.loom.com/ https://www.vimeo.com https://portal.withorb.com blob: data:; \
      frame-ancestors *; \
      object-src 'none'; \
      connect-src https: *.usepylon.com *.posthog.com wss://*.pusher.com; \
      font-src 'self' https://fonts.gstatic.com *.usepylon.com;
      """
    Permissions-Policy = "geolocation=(),midi=(),sync-xhr=(self),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"
    Referrer-Policy = "no-referrer"
    X-Content-Type-Options = "nosniff"
    Cross-Origin-Embedder-Policy = "credentialless"
    Cross-Origin-Opener-Policy = "unsafe-none"
    Cross-Origin-Resource-Policy = "cross-origin"
    X-Frame-Options = "allow-from *"