From 4df964245a6755b168fbdb8c3352fe720f5280e6 Mon Sep 17 00:00:00 2001 From: Jake Jarvis Date: Mon, 17 May 2021 18:43:26 -0400 Subject: [PATCH] clean up CSP (and block interest-cohort permission) --- netlify.toml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/netlify.toml b/netlify.toml index 4b800f1d..c2213750 100644 --- a/netlify.toml +++ b/netlify.toml @@ -68,17 +68,18 @@ # https://amp.dev/documentation/guides-and-tutorials/optimize-and-measure/secure-pages/ Content-Security-Policy = ''' default-src 'self'; - connect-src 'self' https://*.ampproject.net https://csp-collector.appspot.com/csp/amp https://api.github.com https://platform.twitter.com; - font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; + base-uri 'none'; + connect-src 'self' *.ampproject.net csp-collector.appspot.com/csp/amp api.github.com platform.twitter.com; + font-src 'self' fonts.googleapis.com fonts.gstatic.com; form-action 'none'; frame-ancestors 'self'; - frame-src 'self' https://jakejarvis.github.io https://*.ampproject.net https://cdn.ampproject.org https://app.usefathom.com https://buttons.github.io https://codepen.io https://cdpn.io https://platform.twitter.com https://player.vimeo.com https://www.youtube-nocookie.com; + frame-src 'self' jakejarvis.github.io *.ampproject.net cdn.ampproject.org app.usefathom.com buttons.github.io codepen.io cdpn.io platform.twitter.com player.vimeo.com www.youtube-nocookie.com; img-src 'self' data: https:; manifest-src 'self'; media-src 'self' data: https:; object-src 'none'; - script-src 'self' 'unsafe-eval' https://cdn.ampproject.org/lts/v0.js https://cdn.ampproject.org/lts/v0/ https://cdn.ampproject.org/viewer/ https://cdn.ampproject.org/rtv/ https://3p.ampproject.net https://buttons.github.io https://gist.github.com https://syndication.twitter.com https://platform.twitter.com https://player.vimeo.com 'sha256-y3Xr/40/KQnUvqk/kZO5us6t3i/I49BsbYjsH8ELhVg=' 'sha256-JGG0npUp+0ABq/NY1azjpQ0WBtm+m5gU58mzF+2DCXY='; - style-src 'self' 'unsafe-inline' https://cdn.ampproject.org/rtv/ https://fonts.googleapis.com https://github.githubassets.com; + script-src 'self' 'unsafe-eval' cdn.ampproject.org/lts/v0.js cdn.ampproject.org/lts/v0/ cdn.ampproject.org/viewer/ cdn.ampproject.org/rtv/ 3p.ampproject.net buttons.github.io gist.github.com syndication.twitter.com platform.twitter.com player.vimeo.com 'sha256-y3Xr/40/KQnUvqk/kZO5us6t3i/I49BsbYjsH8ELhVg=' 'sha256-JGG0npUp+0ABq/NY1azjpQ0WBtm+m5gU58mzF+2DCXY='; + style-src 'self' 'unsafe-inline' cdn.ampproject.org/rtv/ fonts.googleapis.com assets-cdn.github.com github.githubassets.com; worker-src 'self'; block-all-mixed-content; report-uri https://jarv.is/api/csp_wizard; @@ -89,7 +90,7 @@ {"group":"default","max_age":604800,"endpoints":[{"url":"https://jarv.is/api/report"}],"include_subdomains":false}''' # More generic security headers: Feature-Policy = "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'" - Permissions-Policy = "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" + Permissions-Policy = "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()" Referrer-Policy = "no-referrer-when-downgrade" X-Content-Type-Options = "nosniff" X-Frame-Options = "SAMEORIGIN" @@ -187,6 +188,10 @@ from = "/twemoji/svg/*" to = "/vendor/emoji/svg/:splat" status = 301 +[[redirects]] + from = "/vendor/inter/*" + to = "/vendor/fonts/:splat" + status = 301 # Moved these random sites/projects elsewhere (mostly GitHub Pages) to keep # this repo and domain squeaky clean: