From 706c532f81fc6ad7f863ae4fd30b0291cb377f7e Mon Sep 17 00:00:00 2001 From: Serghei Iakovlev Date: Tue, 5 Jul 2022 23:27:48 +0200 Subject: Amend img-src and connect-src for CSP header --- netlify.toml | 35 ++++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) (limited to 'netlify.toml') diff --git a/netlify.toml b/netlify.toml index 7083039..afa9e75 100644 --- a/netlify.toml +++ b/netlify.toml @@ -18,7 +18,7 @@ # here but we recommend using the Netlify UI for sensitive # values to keep them out of your source repository. [context.production] - command = 'hugo --enableGitInfo --source=exampleSite --destination ../public' + command = 'hugo --source=exampleSite --destination ../public' [context.production.environment] HUGO_ENV = 'production' @@ -27,7 +27,7 @@ # Deploy Preview context: all deploys generated from # a pull/merge request will inherit these settings. [context.deploy-preview] - command = 'hugo --enableGitInfo --source=exampleSite --buildDrafts --buildFuture --baseURL ${DEPLOY_PRIME_URL} --destination ../public' + command = 'hugo --source=exampleSite --buildDrafts --buildFuture --baseURL ${DEPLOY_PRIME_URL} --destination ../public' [context.deploy-preview.environment] HUGO_ENV = 'development' @@ -36,7 +36,7 @@ # a pull/merge request or from the Production branch # will inherit these settings. [context.branch-deploy] - command = 'hugo --enableGitInfo --source=exampleSite --buildDrafts --buildFuture --baseURL ${DEPLOY_PRIME_URL} --destination ../public' + command = 'hugo --source=exampleSite --buildDrafts --buildFuture --baseURL ${DEPLOY_PRIME_URL} --destination ../public' [context.branch-deploy.environment] HUGO_ENV = 'development' @@ -71,14 +71,39 @@ Strict-Transport-Security = 'max-age=31536000; includeSubDomains; preload' # This used to be called Feature Policy and is mainly only support by # Chrome browsers. It’s used to control what browser APIs can be used. - Permissions-Policy = 'accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()' + Permissions-Policy = ''' + accelerometer=(), + camera=(), + geolocation=(), + gyroscope=(), + magnetometer=(), + microphone=(), + payment=(), + usb=(), + interest-cohort=()''' # CSP makes it possible for server administrators to reduce or eliminate # the vectors by which XSS can occur by specifying the domains that the # browser should consider to be valid sources of executable scripts. # A CSP compatible browser will then only execute scripts loaded in source # files received from those allowed domains, ignoring all other scripts # (including inline scripts and event-handling HTML attributes). - Content-Security-Policy = "default-src 'self'; script-src 'self' *.netlify.app *.netlify.com *.googletagmanager.com; style-src 'self'; img-src 'self' data: *.google-analytics.com *.googletagmanager.com *.gstatic.com; font-src 'self'; connect-src 'self' *.google-analytics.com analytics.google.com *.googletagmanager.com *.doubleclick.net; media-src 'self'; object-src 'self'; frame-src 'none'; worker-src 'self'; frame-ancestors 'none'; form-action 'self' submit-form.com; upgrade-insecure-requests; base-uri 'self'; manifest-src 'self'; report-uri https://egrep.report-uri.com/r/d/csp/enforce" + Content-Security-Policy = """ + default-src 'self'; + script-src 'self' *.netlify.app *.netlify.com *.googletagmanager.com; + style-src 'self'; + img-src 'self' data: *.google-analytics.com *.googletagmanager.com *.gstatic.com; + font-src 'self'; + connect-src 'self' *.google-analytics.com *.analytics.google.com analytics.google.com *.googletagmanager.com *.doubleclick.net; + media-src 'self'; + object-src 'self'; + frame-src 'none'; + worker-src 'self'; + frame-ancestors 'none'; + form-action 'self' submit-form.com; + upgrade-insecure-requests; + base-uri 'self'; + manifest-src 'self'; + report-uri https://egrep.report-uri.com/r/d/csp/enforce""" [[headers]] for = '/feeds/*.xml' -- cgit v1.2.3