Clean up CSP a little more to work properly with Analytics. (#698)

2023-09-11 02:24:16 -05:00 · 2023-09-11 02:24:16 -05:00 · 7b12fba945
commit 7b12fba945
parent 75edfe8b31
3 changed files with 4 additions and 6 deletions
--- a/files/routes/allroutes.py
+++ b/files/routes/allroutes.py
@ -52,10 +52,10 @@ def teardown_request(error):
@app.after_request
 def after_request(response: Response):
 	response.headers.add("Content-Security-Policy", (
-		"script-src 'self' 'unsafe-inline';"
+		" script-src:  'self' https://*.googletagmanager.com"
-		" connect-src 'self' *.google-analytics.com *.analytics.google.com;"
+		" img-src:     https://*.google-analytics.com https://*.googletagmanager.com"
-		" object-src 'none';"
+		" connect-src: 'self' https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com"
-		" img-src 'self' *.google-analytics.com *.analytics.google.com"
+		" object-src: 'none'"
 	))
 	response.headers.add("Strict-Transport-Security", "max-age=31536000")
 	response.headers.add("X-Frame-Options", "deny")
--- a/files/templates/email/default.html
+++ b/files/templates/email/default.html
@ -3,7 +3,6 @@
 <html>
  <head>
    <meta name="description" content="{{config('DESCRIPTION')}}">
    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title></title>
--- a/files/templates/settings2.html
+++ b/files/templates/settings2.html
@ -6,7 +6,6 @@
 	{% include "analytics.html" %}
 	<meta name="description" content="{{config('DESCRIPTION')}}">
 	<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self'; object-src 'none';">
 	<script src="{{ 'js/bootstrap.js' | asset }}"></script>