From 9c0fac1a76e1a538e65c4d0840511f9886f76225 Mon Sep 17 00:00:00 2001
From: Mavis Ou <mmmavis@users.noreply.github.com>
Date: Fri, 22 Mar 2024 15:09:21 -0700
Subject: [PATCH] update a bunch of CSP values

---
 .github/workflows/continous-integration.yml   |  7 +-
 .../workflows/visual-regression-testing.yml   |  7 +-
 app.json                                      |  9 +-
 env.default                                   | 87 +------------------
 4 files changed, 11 insertions(+), 99 deletions(-)

diff --git a/.github/workflows/continous-integration.yml b/.github/workflows/continous-integration.yml
index 37cd39bd9cd..1a23ece1c35 100644
--- a/.github/workflows/continous-integration.yml
+++ b/.github/workflows/continous-integration.yml
@@ -144,11 +144,10 @@ jobs:
       X_FRAME_OPTIONS: DENY
       XSS_PROTECTION: True
       CSP_CONNECT_SRC: "*"
-      CSP_FONT_SRC: "'self' https://fonts.gstatic.com https://fonts.googleapis.com https://code.cdn.mozilla.net https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/fonts/ data:"
-      CSP_FRAME_SRC: "'self' https://www.google.com/recaptcha/"
-      CSP_SCRIPT_SRC: "'self' 'unsafe-inline' https://www.google-analytics.com/analytics.js http://*.shpg.org/ https://comments.mozillafoundation.org/ https://airtable.com https://platform.twitter.com https://cdnjs.cloudflare.com/ajax/libs/gsap/3.8.0/gsap.min.js https://cdnjs.cloudflare.com/ajax/libs/gsap/3.8.0/ScrollTrigger.min.js https://*.googletagmanager.com https://*.fundraiseup.com https://mozillafoundation.tfaforms.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-eval'"
+      CSP_FONT_SRC: "'self' https://fonts.gstatic.com https://fonts.googleapis.com https://code.cdn.mozilla.net https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/fonts/ data: https://static.fundraiseup.com/common-fonts/"
+      CSP_FRAME_SRC: "'self' https://www.google.com/recaptcha/ https://*.stripe.com https://pay.google.com https://*.paypal.com"
+      CSP_SCRIPT_SRC: "'self' 'unsafe-inline' https://www.google-analytics.com/analytics.js http://*.shpg.org/ https://comments.mozillafoundation.org/ https://airtable.com https://platform.twitter.com https://cdnjs.cloudflare.com/ajax/libs/gsap/3.8.0/gsap.min.js https://cdnjs.cloudflare.com/ajax/libs/gsap/3.8.0/ScrollTrigger.min.js https://*.googletagmanager.com https://*.fundraiseup.com https://mozillafoundation.tfaforms.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-eval' https://*.stripe.com https://m.stripe.network https://*.paypal.com https://*.paypalobjects.com https://pay.google.com"
       CSP_STYLE_SRC: "'self' 'unsafe-inline' https://code.cdn.mozilla.net https://fonts.googleapis.com https://platform.twitter.com https://mozillafoundation.tfaforms.net https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css"
-      SECURE_CROSS_ORIGIN_OPENER_POLICY: "'same-origin-allow-popups'"
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
diff --git a/.github/workflows/visual-regression-testing.yml b/.github/workflows/visual-regression-testing.yml
index 093737fac0f..f7e7c26480d 100644
--- a/.github/workflows/visual-regression-testing.yml
+++ b/.github/workflows/visual-regression-testing.yml
@@ -30,12 +30,12 @@ jobs:
       CSP_CHILD_SRC: " 'self' https://www.youtube.com https://www.youtube-nocookie.com "
       CSP_CONNECT_SRC: " * "
       CSP_DEFAULT_SRC: " 'none' "
-      CSP_FONT_SRC: " 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com https://code.cdn.mozilla.net https://static.fundraiseup.com/fonts/ https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/fonts/"
+      CSP_FONT_SRC: " 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com https://code.cdn.mozilla.net https://*.fundraiseup.com https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/fonts/"
       CSP_FRAME_ANCESTORS: " 'none' "
-      CSP_FRAME_SRC: " 'self' https://www.youtube.com https://comments.mozillafoundation.org/ https://airtable.com https://docs.google.com/ https://platform.twitter.com https://public.zenkit.com https://calendar.google.com https://www.youtube-nocookie.com https://form.typeform.com https://js.tito.io https://datawrapper.dwcdn.net https://www.google.com/recaptcha/"
+      CSP_FRAME_SRC: " 'self' https://www.youtube.com https://comments.mozillafoundation.org/ https://airtable.com https://docs.google.com/ https://platform.twitter.com https://public.zenkit.com https://calendar.google.com https://www.youtube-nocookie.com https://form.typeform.com https://js.tito.io https://datawrapper.dwcdn.net https://www.google.com/recaptcha/ https://*.stripe.com https://pay.google.com https://*.paypal.com"
       CSP_IMG_SRC: " * data: "
       CSP_MEDIA_SRC: " 'self' data: https://s3.amazonaws.com/mofo-assets/foundation/video/ "
-      CSP_SCRIPT_SRC: " 'self' 'unsafe-inline' https://www.google-analytics.com/analytics.js http://*.shpg.org/ https://comments.mozillafoundation.org/ https://airtable.com https://platform.twitter.com https://cdn.syndication.twimg.com https://embed.typeform.com https://js.tito.io https://js-plugins.tito.io/gtm.js https://tagmanager.google.com *.googletagmanager.com https://*.fundraiseup.com https://mozillafoundation.tfaforms.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-eval'"
+      CSP_SCRIPT_SRC: " 'self' 'unsafe-inline' https://www.google-analytics.com/analytics.js http://*.shpg.org/ https://comments.mozillafoundation.org/ https://airtable.com https://platform.twitter.com https://cdn.syndication.twimg.com https://embed.typeform.com https://js.tito.io https://js-plugins.tito.io/gtm.js https://tagmanager.google.com *.googletagmanager.com https://*.fundraiseup.com https://mozillafoundation.tfaforms.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-eval' https://*.stripe.com https://m.stripe.network https://*.paypal.com https://*.paypalobjects.com https://pay.google.com"
       CSP_STYLE_SRC: " 'self' 'unsafe-inline' https://code.cdn.mozilla.net https://fonts.googleapis.com https://platform.twitter.com https://js.tito.io https://tagmanager.google.com https://mozillafoundation.tfaforms.net https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css"
       CSP_INCLUDE_NONCE_IN: "script-src"
       DATABASE_URL: postgres://postgres:postgres@localhost:5432/network
@@ -48,7 +48,6 @@ jobs:
       PULSE_API_DOMAIN: https://network-pulse-api-production.herokuapp.com
       PULSE_DOMAIN: https://www.mozillapulse.org
       RANDOM_SEED: 530910203
-      SECURE_CROSS_ORIGIN_OPENER_POLICY: "'same-origin-allow-popups'"
       SET_HSTS: False
       SSL_REDIRECT: False
       TARGET_DOMAINS: foundation.mozilla.org
diff --git a/app.json b/app.json
index c6bc8326b27..2ac3e0575f8 100644
--- a/app.json
+++ b/app.json
@@ -28,16 +28,15 @@
     "CSP_CONNECT_SRC": "*",
     "CSP_DEFAULT_SRC": "'none'",
     "CSP_FRAME_ANCESTORS": "'none'",
-    "CSP_FRAME_SRC": "'self' https://js.tito.io https://www.google.com/recaptcha/",
-    "CSP_FONT_SRC": "'self' https://fonts.gstatic.com https://fonts.googleapis.com https://code.cdn.mozilla.net https://static.fundraiseup.com/fonts/ https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/fonts/",
+    "CSP_FRAME_SRC": "'self' https://js.tito.io https://www.google.com/recaptcha/ https://*.stripe.com https://pay.google.com https://*.paypal.com",
+    "CSP_FONT_SRC": "'self' https://fonts.gstatic.com https://fonts.googleapis.com https://code.cdn.mozilla.net https://*.fundraiseup.com https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/fonts/",
     "CSP_IMG_SRC": "* data:",
     "CSP_MEDIA_SRC": "'self' https://s3.amazonaws.com/mofo-assets/foundation/video/",
-    "CSP_SCRIPT_SRC": "'self' 'unsafe-inline' https://www.google-analytics.com/analytics.js http://*.shpg.org/ https://comments.mozillafoundation.org/ https://airtable.com https://platform.twitter.com https://cdn.syndication.twimg.com https://js.tito.io https://js-plugins.tito.io/gtm.js https://*.fundraiseup.com *.googletagmanager.com https://mozillafoundation.tfaforms.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-eval'",
+    "CSP_SCRIPT_SRC": "'self' 'unsafe-inline' https://www.google-analytics.com/analytics.js http://*.shpg.org/ https://comments.mozillafoundation.org/ https://airtable.com https://platform.twitter.com https://cdn.syndication.twimg.com https://js.tito.io https://js-plugins.tito.io/gtm.js https://*.fundraiseup.com *.googletagmanager.com https://mozillafoundation.tfaforms.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-eval' https://*.stripe.com https://m.stripe.network https://*.paypal.com https://pay.google.com",
     "CSP_STYLE_SRC": "'self' 'unsafe-inline' https://code.cdn.mozilla.net https://fonts.googleapis.com  https://platform.twitter.com https://js.tito.io https://mozillafoundation.tfaforms.net https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css",
     "NPM_CONFIG_PRODUCTION": "true",
     "REVIEW_APP": "True",
-    "XROBOTSTAG_ENABLED": "True",
-    "SECURE_CROSS_ORIGIN_OPENER_POLICY": "'same-origin-allow-popups'"
+    "XROBOTSTAG_ENABLED": "True"
   },
   "buildpacks": [
     {
diff --git a/env.default b/env.default
index c9bace290c5..2a0041935eb 100644
--- a/env.default
+++ b/env.default
@@ -1,86 +1 @@
-# Pulse endpoints. If you need to do local integration testing between the foundation
-# site and the pulse services, use the internal docker host syntax, e.g:
-#
-#   PULSE_API_DOMAIN=http://host.docker.internal:8080
-#
-# Note that for this to work, host.docker.internal should have a loopback entry in
-# your etc/hosts file. Docker Desktop should have added this when it got installed,
-# but if the line is not there, you'll need to manually add it.
-#
-PULSE_API_DOMAIN=https://network-pulse-api-production.herokuapp.com
-PULSE_DOMAIN=https://www.mozillapulse.org
-
-# Always add a protocol (ex: https://) in front of the NETWORK_SITE_URL, including for localhost
-NETWORK_SITE_URL=http://localhost:8000
-WAGTAILADMIN_BASE_URL=http://localhost:8000
-DOMAIN_REDIRECT_MIDDLEWARE_ENABLED=False
-TARGET_DOMAINS=foundation.mozilla.org
-
-# network-api environment:
-ALLOWED_HOSTS=*
-# APP_ENVIRONMENT is used to prepend [S] or [RA] to page tab title & change favicon color,
-# choices are "Review" and "Staging" and are set in Heroku.
-APP_ENVIRONMENT=
-ASSET_DOMAIN=network.mofoprod.net
-CONTENT_TYPE_NO_SNIFF=True
-CORS_ALLOWED_ORIGINS=*
-CORS_ALLOWED_ORIGIN_REGEXES=
-DATABASE_URL=postgresql://foundation@postgres:5432/wagtail
-DEBUG=True
-DEBUG_TOOLBAR_ENABLED=False
-VSCODE_DEBUGGER=False
-DJANGO_SECRET_KEY=secret
-LOAD_FIXTURE=False
-SET_HSTS=False
-SOCIAL_AUTH_GOOGLE_OAUTH2_KEY=
-SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET=
-SOCIAL_AUTH_LOGIN_REDIRECT_URL=http://localhost:5000/soc/complete/google-oauth2/
-SSL_REDIRECT=False
-USE_S3=False
-X_FRAME_OPTIONS=DENY
-XSS_PROTECTION=True
-XROBOTSTAG_ENABLED=False
-
-# Basket config:
-
-# See the Basket client docs https://basket-client.readthedocs.io/en/latest/install.html
-BASKET_URL=https://basket-dev.allizom.org
-
-
-# CSP config
-CSP_CHILD_SRC=" 'self' https://www.youtube.com https://www.youtube-nocookie.com "
-CSP_CONNECT_SRC=" * "
-CSP_DEFAULT_SRC=" 'none' "
-CSP_FONT_SRC=" 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com https://code.cdn.mozilla.net https://static.fundraiseup.com/fonts/ https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/fonts/"
-CSP_FRAME_ANCESTORS=" 'self' "
-CSP_FRAME_SRC=" 'self' https://www.youtube.com https://comments.mozillafoundation.org/ https://airtable.com https://docs.google.com/ https://platform.twitter.com https://public.zenkit.com https://calendar.google.com https://www.youtube-nocookie.com https://form.typeform.com https://js.tito.io https://datawrapper.dwcdn.net https://www.google.com/recaptcha/"
-CSP_IMG_SRC=" * data: "
-CSP_MEDIA_SRC=" 'self' data: https://s3.amazonaws.com/mofo-assets/foundation/video/ "
-CSP_SCRIPT_SRC=" 'self' 'unsafe-inline' https://www.google-analytics.com/analytics.js http://*.shpg.org/ https://comments.mozillafoundation.org/ https://airtable.com https://platform.twitter.com https://cdn.syndication.twimg.com https://embed.typeform.com https://js.tito.io https://js-plugins.tito.io/gtm.js https://tagmanager.google.com *.googletagmanager.com https://*.fundraiseup.com https://mozillafoundation.tfaforms.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-eval'"
-CSP_STYLE_SRC=" 'self' 'unsafe-inline' https://code.cdn.mozilla.net https://fonts.googleapis.com https://platform.twitter.com https://js.tito.io https://tagmanager.google.com https://mozillafoundation.tfaforms.net https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css"
-CSP_INCLUDE_NONCE_IN=script-src
-
-# Security config
-SECURE_CROSS_ORIGIN_OPENER_POLICY = " 'same-origin-allow-popups' "
-
-# Petition test campaign id for Salesforce Sandbox
-PETITION_TEST_CAMPAIGN_ID=7017i000000bIgTAAU
-
-# Localization
-LOCAL_PATH_TO_L10N_REPO=
-
-# REVIEW APPS SLACK BOT
-GITHUB_TOKEN=
-SLACK_WEBHOOK_RA=
-
-# BUYER'S GUIDE Configuration
-PNI_STATS_DB_URL=
-USE_COMMENTO=
-
-# Sentry
-SENTRY_DSN=
-HEROKU_RELEASE_VERSION=
-SENTRY_ENVIRONMENT=
-
-# CDN configuration
-STATIC_HOST=
+https://raw.githubusercontent.com/MozillaFoundation/foundation.mozilla.org/f9f1af7c7fe0517a714f778556c6d1a0e423791e/env.default