Skip to content

Commit

Permalink
feat: Remove local-dev Content Security Policy (#2179)
Browse files Browse the repository at this point in the history
  • Loading branch information
joshlarson authored Oct 1, 2024
1 parent 888f056 commit 6ba2846
Showing 1 changed file with 3 additions and 14 deletions.
17 changes: 3 additions & 14 deletions config/runtime.exs
Original file line number Diff line number Diff line change
Expand Up @@ -229,21 +229,10 @@ case config_env() do
"; "
)

# Dev is only used for local development, so we don't need, and in
# fact actively do not want, a restrictive CSP
:dev ->
config :dotcom,
:content_security_policy_definition,
Enum.join(
[
"default-src 'none'",
"img-src 'self' cdn.mbta.com #{System.get_env("CMS_API_BASE_URL", "")} *.google.com *.googleapis.com *.gstatic.com mbta-map-tiles-dev.s3.amazonaws.com data: i.ytimg.com www.googletagmanager.com",
"style-src 'self' 'unsafe-inline' localhost:* www.gstatic.com cdn.jsdelivr.net",
"script-src 'self' 'unsafe-eval' 'unsafe-inline' localhost:* www.instagram.com *.google.com www.gstatic.com www.googletagmanager.com www.google-analytics.com *.googleapis.com data.mbta.com",
"font-src 'self' localhost:*",
"connect-src 'self' localhost:* ws://localhost:* *.googleapis.com",
"frame-src 'self' localhost:* data.mbta.com www.youtube.com www.google.com cdn.knightlab.com livestream.com www.instagram.com"
],
"; "
)
config :dotcom, :content_security_policy_definition, "*"

:test ->
config :dotcom, :content_security_policy_definition, ""
Expand Down

0 comments on commit 6ba2846

Please sign in to comment.