Update CSP policy

dust-tt · Jan 8, 2025 · 4ea7435 · 4ea7435
1 parent cc5a77d
commit 4ea7435
Show file tree

Hide file tree

Showing 3 changed files with 95 additions and 87 deletions.
diff --git a/front/next.config.js b/front/next.config.js
@@ -1,5 +1,13 @@
 const path = require("path");
 
+const CONTENT_SECURITY_POLICIES =
+  `script-src 'self' 'unsafe-inline' 'unsafe-eval' www.googletagmanager.com;` +
+  ` style-src 'self' 'unsafe-inline' *.typekit.net;` +
+  ` connect-src 'self';` +
+  ` form-action 'self';` +
+  ` base-uri 'self';` +
+  ` frame-ancestors 'self';`;
+
 module.exports = {
   transpilePackages: ["@uiw/react-textarea-code-editor"],
   // As of Next 14.2.3 swc minification creates a bug in the generated client side files.
@@ -49,7 +57,7 @@ module.exports = {
         headers: [
           {
             key: "Content-Security-Policy",
-            value: "frame-ancestors 'self'",
+            value: CONTENT_SECURITY_POLICIES,
           },
           {
             key: "Strict-Transport-Security",

diff --git a/front/package-lock.json b/front/package-lock.json
diff --git a/viz/package-lock.json b/viz/package-lock.json