Avoid using wildcards for CSP header

author: Serghei Iakovlev <egrep@protonmail.ch> 2022-07-24 18:54:52 +0200
committer: Serghei Iakovlev <egrep@protonmail.ch> 2022-07-24 18:54:52 +0200
commit: a57f4e32891b412dd41629a142b599ff2acb4be1 (patch)
tree: b83a5d361686ba9157d641042679c4d8c0ab6772
parent: c4f56a567b3f8a0f8b4cab4c3e8dcdaaf035545a (diff)
download: gohugo-theme-ed-a57f4e32891b412dd41629a142b599ff2acb4be1.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/netlify.toml b/netlify.toml
index 4f5521d..8edb56f 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -89,11 +89,11 @@
     # (including inline scripts and event-handling HTML attributes).
     Content-Security-Policy = """
     default-src 'self';
-    script-src 'self' *.googletagmanager.com;
+    script-src 'self' www.googletagmanager.com;
     style-src 'self';
-    img-src 'self' data: *.google-analytics.com *.googletagmanager.com *.gstatic.com;
+    img-src 'self' data: www.google-analytics.com www.googletagmanager.com www.gstatic.com stats.g.doubleclick.net;
     font-src 'self';
-    connect-src 'self' *.google-analytics.com *.analytics.google.com analytics.google.com *.googletagmanager.com *.doubleclick.net;
+    connect-src 'self' www.google-analytics.com analytics.google.com www.googletagmanager.com stats.g.doubleclick.net;
     media-src 'self';
     object-src 'self';
     frame-src 'none';
author	Serghei Iakovlev <egrep@protonmail.ch>	2022-07-24 18:54:52 +0200
committer	Serghei Iakovlev <egrep@protonmail.ch>	2022-07-24 18:54:52 +0200
commit	a57f4e32891b412dd41629a142b599ff2acb4be1 (patch)
tree	b83a5d361686ba9157d641042679c4d8c0ab6772
parent	c4f56a567b3f8a0f8b4cab4c3e8dcdaaf035545a (diff)
download	gohugo-theme-ed-a57f4e32891b412dd41629a142b599ff2acb4be1.tar.gz