From 4d8ab67c5910384a4e9858d3e02085b3029ede24 Mon Sep 17 00:00:00 2001 From: Adam Peller Date: Sun, 23 Jul 2023 12:53:41 -0400 Subject: [PATCH] DCXY-18423 add child-src rule, with blob: for dev and stage --- acrobat/scripts/contentSecurityPolicy/csp.js | 3 ++- acrobat/scripts/contentSecurityPolicy/dev.js | 8 +++++++- acrobat/scripts/contentSecurityPolicy/prod.js | 7 ++++++- acrobat/scripts/contentSecurityPolicy/stage.js | 8 +++++++- 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/acrobat/scripts/contentSecurityPolicy/csp.js b/acrobat/scripts/contentSecurityPolicy/csp.js index 82c53fad..c447f928 100644 --- a/acrobat/scripts/contentSecurityPolicy/csp.js +++ b/acrobat/scripts/contentSecurityPolicy/csp.js @@ -21,7 +21,8 @@ async function getCspEnv() { export default async function ContentSecurityPolicy() { const { default: ENV } = await getCspEnv(); - const theCSP = `connect-src ${ENV.connectSrc.join(' ')}\ + const theCSP = `child-src ${ENV.childSrc.join(' ')}\ + connect-src ${ENV.connectSrc.join(' ')}\ default-src ${ENV.defaultSrc.join(' ')}\ font-src ${ENV.fontSrc.join(' ')}\ form-action ${ENV.formAction.join(' ')}\ diff --git a/acrobat/scripts/contentSecurityPolicy/dev.js b/acrobat/scripts/contentSecurityPolicy/dev.js index 763804f6..e87d2a8b 100644 --- a/acrobat/scripts/contentSecurityPolicy/dev.js +++ b/acrobat/scripts/contentSecurityPolicy/dev.js @@ -1,3 +1,9 @@ +const childSrc = [ + '\'self\'', + 'blob:', + ';', +]; + const connectSrc = [ '\'self\'', 'blob:', @@ -225,4 +231,4 @@ const workerSrc = [ // TRY This // use variables for the different domians -export default { connectSrc, defaultSrc, fontSrc, formAction, frameSrc, imgSrc, manifestSrc, scriptSrc, styleSrc, workerSrc}; +export default { childSrc, connectSrc, defaultSrc, fontSrc, formAction, frameSrc, imgSrc, manifestSrc, scriptSrc, styleSrc, workerSrc}; diff --git a/acrobat/scripts/contentSecurityPolicy/prod.js b/acrobat/scripts/contentSecurityPolicy/prod.js index 89518e31..3b2dcd5f 100644 --- a/acrobat/scripts/contentSecurityPolicy/prod.js +++ b/acrobat/scripts/contentSecurityPolicy/prod.js @@ -1,3 +1,8 @@ +const childSrc = [ + '\'self\'', + ';', +]; + const connectSrc = [ '\'self\'', 'blob:', @@ -239,4 +244,4 @@ const workerSrc = [ ';', ]; -export default { connectSrc, defaultSrc, fontSrc, formAction, frameSrc, imgSrc, manifestSrc, scriptSrc, styleSrc, workerSrc}; +export default { childSrc, connectSrc, defaultSrc, fontSrc, formAction, frameSrc, imgSrc, manifestSrc, scriptSrc, styleSrc, workerSrc}; diff --git a/acrobat/scripts/contentSecurityPolicy/stage.js b/acrobat/scripts/contentSecurityPolicy/stage.js index f589a7be..db6dbc1f 100644 --- a/acrobat/scripts/contentSecurityPolicy/stage.js +++ b/acrobat/scripts/contentSecurityPolicy/stage.js @@ -1,3 +1,9 @@ +const childSrc = [ + '\'self\'', + 'blob:', + ';', +]; + const connectSrc = [ '\'self\'', 'blob:', @@ -258,4 +264,4 @@ const workerSrc = [ ';', ]; -export default { connectSrc, defaultSrc, fontSrc, formAction, frameSrc, imgSrc, manifestSrc, scriptSrc, styleSrc, workerSrc}; +export default { childSrc, connectSrc, defaultSrc, fontSrc, formAction, frameSrc, imgSrc, manifestSrc, scriptSrc, styleSrc, workerSrc};