Revert "feat(ContentSecurityPolicy): Add a content security policy (#…

…2094)" This reverts commit f6f8081.
mbta · Jun 17, 2024 · 29a90a8 · 29a90a8
1 parent 2a0164a
commit 29a90a8
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 59 deletions.
diff --git a/config/runtime.exs b/config/runtime.exs
@@ -213,52 +213,3 @@ if System.get_env("LOGGER_LEVEL") in ~w(emergency alert critical error warning n
   config :logger, level: String.to_atom(System.get_env("LOGGER_LEVEL"))
   config :logger, :console, level: String.to_atom(System.get_env("LOGGER_LEVEL"))
 end
-
-# Extract the host fron the sentry dsn
-sentry_dsn_host =
-  case Regex.run(~r/@(.*)\//, System.get_env("SENTRY_DSN", ""), capture: :all_but_first) do
-    nil -> ""
-    [match | _] -> match
-  end
-
-# Set the content security policy
-case config_env() do
-  :prod ->
-    config :dotcom,
-           :content_security_policy_definition,
-           Enum.join(
-             [
-               "default-src 'none'",
-               "img-src 'self' cdn.mbta.com #{System.get_env("STATIC_HOST", "")} #{System.get_env("CMS_API_BASE_URL", "")} *.googleapis.com *.gstatic.com *.s3.amazonaws.com data:",
-               "style-src 'self' 'unsafe-inline' www.gstatic.com #{System.get_env("STATIC_HOST", "")}",
-               "script-src 'self' 'unsafe-eval' 'unsafe-inline' #{System.get_env("STATIC_HOST", "")} translate.google.com www.gstatic.com www.googletagmanager.com *.googleapis.com",
-               "font-src 'self' #{System.get_env("STATIC_HOST", "")}",
-               "connect-src 'self' *.googleapis.com #{sentry_dsn_host || ""}",
-               "frame-src 'self'"
-             ],
-             "; "
-           )
-
-  :dev ->
-    config :dotcom,
-           :content_security_policy_definition,
-           Enum.join(
-             [
-               "default-src 'none'",
-               "img-src 'self' cdn.mbta.com #{System.get_env("CMS_API_BASE_URL", "")} *.googleapis.com *.gstatic.com *.s3.amazonaws.com data:",
-               "style-src 'self' 'unsafe-inline' localhost:* www.gstatic.com",
-               "script-src 'self' 'unsafe-eval' 'unsafe-inline' localhost:* translate.google.com www.gstatic.com www.googletagmanager.com *.googleapis.com",
-               "font-src 'self' localhost:*",
-               "connect-src 'self' localhost:* ws://localhost:* *.googleapis.com",
-               "frame-src 'self' localhost:*"
-             ],
-             "; "
-           )
-
-  :test ->
-    config :dotcom, :content_security_policy_definition, ""
-
-  # Unknown env, reject all
-  _ ->
-    config :dotcom, :content_security_policy_definition, "default-src 'none'"
-end
diff --git a/lib/dotcom_web/router.ex b/lib/dotcom_web/router.ex
@@ -18,7 +18,7 @@ defmodule DotcomWeb.Router do
     plug(:fetch_session)
     plug(:fetch_flash)
     plug(:fetch_cookies)
-    plug(:put_secure_browser_headers_runtime, %{})
+    plug(:put_secure_browser_headers)
     plug(:put_root_layout, {DotcomWeb.LayoutView, :root})
     plug(DotcomWeb.Plugs.CanonicalHostname)
     plug(DotcomWeb.Plugs.Banner)
@@ -312,13 +312,4 @@ defmodule DotcomWeb.Router do
       Plug.Conn.put_resp_header(conn, "x-robots-tag", "noindex")
     end
   end
-
-  defp put_secure_browser_headers_runtime(conn, default_headers) do
-    runtime_headers = %{
-      "content-security-policy" =>
-        Application.get_env(:dotcom, :content_security_policy_definition)
-    }
-
-    put_secure_browser_headers(conn, Map.merge(default_headers, runtime_headers))
-  end
 end