Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A few tweaks to our report-only CSP header #2955

Merged
merged 1 commit into from
Sep 4, 2024
Merged

A few tweaks to our report-only CSP header #2955

merged 1 commit into from
Sep 4, 2024

Conversation

yob
Copy link
Contributor

@yob yob commented Sep 3, 2024

Our CSP is in report-only mode, but we'd like to get it closer to being enforcable. As a step in that direction I've opened a few pages in production, audited the most common CSP warnings in the browser console, and this should resolve them. These are all expected tools, our policy has just bitrotted, or the vendor has changed their resources.

  1. object_src: we can't include none alongside an actual value
  2. connect_src: we load GA v4 from www.googletagmanager.com, but it wants to submit data to https://www.google-analytics.com
  3. connect_src: helpscout beacon wants tosend data to a cloudfront distribution

CSP docs for Helpscout beacon (mentions the cloudfront domain): https://docs.helpscout.com/article/815-csp-settings-for-beacon

CSP docs for datadog real user monitoring:
https://docs.datadoghq.com/integrations/content_security_policy_logs/

I also added some comments as context for future travelers.

@yob yob requested review from dannymidnight, gilesgas and a team September 3, 2024 06:43
@buildkite-docs-bot
Copy link
Contributor

Preview URL: https://2955--bk-docs-preview.netlify.app

@yob
A few tweaks to our report-only CSP header
ef494ce 
Our CSP is in report-only mode, but we'd like to get it closer to being
enforcable. As a step in that direction I've opened a few pages in
production, audited the most common CSP warnings in the browser console,
and this should resolve them. These are all expected tools, our policy
has just bitrotted, or the vendor has changed their resources.

1. object_src: we can't include `none` alongside an actual value
2. connect_src: we load GA v4 from www.googletagmanager.com, but it wants
   to submit data to https://www.google-analytics.com
3. connect_src: helpscout beacon wants tosend data to a cloudfront
   distribution

CSP docs for Helpscout beacon (mentions the cloudfront domain):
https://docs.helpscout.com/article/815-csp-settings-for-beacon

CSP docs for datadog real user monitoring:
https://docs.datadoghq.com/integrations/content_security_policy_logs/

I also added some comments as context for future travelers.
@yob yob merged commit 5b96460 into main Sep 4, 2024
3 checks passed
@yob yob deleted the csp-refresh branch September 4, 2024 02:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ellsclytn ellsclytn ellsclytn approved these changes

@dannymidnight dannymidnight Awaiting requested review from dannymidnight

@gilesgas gilesgas Awaiting requested review from gilesgas

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yob @buildkite-docs-bot @ellsclytn