From 29a90a8b1a229b016493d44c13a99f730a3af2bc Mon Sep 17 00:00:00 2001 From: Cristen Jones Date: Mon, 17 Jun 2024 13:30:13 -0400 Subject: [PATCH] Revert "feat(ContentSecurityPolicy): Add a content security policy (#2094)" This reverts commit f6f808113100b5bd93e256677b637ccb39306df4. --- config/runtime.exs | 49 ---------------------------------------- lib/dotcom_web/router.ex | 11 +-------- 2 files changed, 1 insertion(+), 59 deletions(-) diff --git a/config/runtime.exs b/config/runtime.exs index a8a9e560c6..e7298b6779 100644 --- a/config/runtime.exs +++ b/config/runtime.exs @@ -213,52 +213,3 @@ if System.get_env("LOGGER_LEVEL") in ~w(emergency alert critical error warning n config :logger, level: String.to_atom(System.get_env("LOGGER_LEVEL")) config :logger, :console, level: String.to_atom(System.get_env("LOGGER_LEVEL")) end - -# Extract the host fron the sentry dsn -sentry_dsn_host = - case Regex.run(~r/@(.*)\//, System.get_env("SENTRY_DSN", ""), capture: :all_but_first) do - nil -> "" - [match | _] -> match - end - -# Set the content security policy -case config_env() do - :prod -> - config :dotcom, - :content_security_policy_definition, - Enum.join( - [ - "default-src 'none'", - "img-src 'self' cdn.mbta.com #{System.get_env("STATIC_HOST", "")} #{System.get_env("CMS_API_BASE_URL", "")} *.googleapis.com *.gstatic.com *.s3.amazonaws.com data:", - "style-src 'self' 'unsafe-inline' www.gstatic.com #{System.get_env("STATIC_HOST", "")}", - "script-src 'self' 'unsafe-eval' 'unsafe-inline' #{System.get_env("STATIC_HOST", "")} translate.google.com www.gstatic.com www.googletagmanager.com *.googleapis.com", - "font-src 'self' #{System.get_env("STATIC_HOST", "")}", - "connect-src 'self' *.googleapis.com #{sentry_dsn_host || ""}", - "frame-src 'self'" - ], - "; " - ) - - :dev -> - config :dotcom, - :content_security_policy_definition, - Enum.join( - [ - "default-src 'none'", - "img-src 'self' cdn.mbta.com #{System.get_env("CMS_API_BASE_URL", "")} *.googleapis.com *.gstatic.com *.s3.amazonaws.com data:", - "style-src 'self' 'unsafe-inline' localhost:* www.gstatic.com", - "script-src 'self' 'unsafe-eval' 'unsafe-inline' localhost:* translate.google.com www.gstatic.com www.googletagmanager.com *.googleapis.com", - "font-src 'self' localhost:*", - "connect-src 'self' localhost:* ws://localhost:* *.googleapis.com", - "frame-src 'self' localhost:*" - ], - "; " - ) - - :test -> - config :dotcom, :content_security_policy_definition, "" - - # Unknown env, reject all - _ -> - config :dotcom, :content_security_policy_definition, "default-src 'none'" -end diff --git a/lib/dotcom_web/router.ex b/lib/dotcom_web/router.ex index 29685e5e1a..818e2a58f1 100644 --- a/lib/dotcom_web/router.ex +++ b/lib/dotcom_web/router.ex @@ -18,7 +18,7 @@ defmodule DotcomWeb.Router do plug(:fetch_session) plug(:fetch_flash) plug(:fetch_cookies) - plug(:put_secure_browser_headers_runtime, %{}) + plug(:put_secure_browser_headers) plug(:put_root_layout, {DotcomWeb.LayoutView, :root}) plug(DotcomWeb.Plugs.CanonicalHostname) plug(DotcomWeb.Plugs.Banner) @@ -312,13 +312,4 @@ defmodule DotcomWeb.Router do Plug.Conn.put_resp_header(conn, "x-robots-tag", "noindex") end end - - defp put_secure_browser_headers_runtime(conn, default_headers) do - runtime_headers = %{ - "content-security-policy" => - Application.get_env(:dotcom, :content_security_policy_definition) - } - - put_secure_browser_headers(conn, Map.merge(default_headers, runtime_headers)) - end end