From b668a3ed35f233ded7c2153dbf5f145e40543d50 Mon Sep 17 00:00:00 2001 From: Matthieu Jacq <67386567+matthieujacq@users.noreply.github.com> Date: Wed, 27 Sep 2023 15:13:10 +0200 Subject: [PATCH 1/2] =?UTF-8?q?fix:=20=F0=9F=94=92=EF=B8=8F=20add=20gravat?= =?UTF-8?q?ar.com=20to=20the=20content=20security=20policy?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- frontend/next.config.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/next.config.js b/frontend/next.config.js index fc3f56345703..67bef5bf35f8 100644 --- a/frontend/next.config.js +++ b/frontend/next.config.js @@ -24,7 +24,7 @@ const nextConfig = { const ContentSecurityPolicy = ` default-src 'self' https://fonts.googleapis.com ${process.env.NEXT_PUBLIC_SUPABASE_URL} https://api.june.so https://www.quivr.app/; connect-src 'self' ${process.env.NEXT_PUBLIC_SUPABASE_URL} ${process.env.NEXT_PUBLIC_BACKEND_URL} https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; - img-src 'self' data:; + img-src 'self' https://www.gravatar.com/ data:; media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ https://www.quivr.app/ https://www.google-analytics.com/; frame-ancestors 'none'; From 267f51887aa2d4ade2cdf85cbb03da5f38281b80 Mon Sep 17 00:00:00 2001 From: Matthieu Jacq <67386567+matthieujacq@users.noreply.github.com> Date: Wed, 27 Sep 2023 15:31:32 +0200 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=8E=A8=20cleaner=20ContentSecurityPol?= =?UTF-8?q?icy=20string=20definition?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- frontend/next.config.js | 49 ++++++++++++++++++++++++++++++++--------- 1 file changed, 39 insertions(+), 10 deletions(-) diff --git a/frontend/next.config.js b/frontend/next.config.js index 67bef5bf35f8..f3cdf16130a7 100644 --- a/frontend/next.config.js +++ b/frontend/next.config.js @@ -21,21 +21,50 @@ const nextConfig = { }, }; -const ContentSecurityPolicy = ` - default-src 'self' https://fonts.googleapis.com ${process.env.NEXT_PUBLIC_SUPABASE_URL} https://api.june.so https://www.quivr.app/; - connect-src 'self' ${process.env.NEXT_PUBLIC_SUPABASE_URL} ${process.env.NEXT_PUBLIC_BACKEND_URL} https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; - img-src 'self' https://www.gravatar.com/ data:; - media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; - script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ https://www.quivr.app/ https://www.google-analytics.com/; - frame-ancestors 'none'; - style-src 'unsafe-inline' https://www.quivr.app/; -`; +const ContentSecurityPolicy = { + "default-src": [ + "self", + "https://fonts.googleapis.com", + process.env.NEXT_PUBLIC_SUPABASE_URL, + "https://api.june.so", + "https://www.quivr.app/", + ], + "connect-src": [ + "self", + process.env.NEXT_PUBLIC_SUPABASE_URL, + process.env.NEXT_PUBLIC_BACKEND_URL, + "https://api.june.so", + "https://api.openai.com", + "https://cdn.growthbook.io", + "https://vitals.vercel-insights.com/v1/vitals", + ], + "img-src": ["self", "https://www.gravatar.com/", "data:"], + "media-src": [ + "self", + "https://user-images.githubusercontent.com", + "https://www.quivr.app/", + "https://quivr-cms.s3.eu-west-3.amazonaws.com", + ], + "script-src": [ + "unsafe-inline", + "unsafe-eval", + "https://va.vercel-scripts.com/", + "https://www.quivr.app/", + "https://www.google-analytics.com/", + ], + "frame-ancestors": ["none"], + "style-src": ["unsafe-inline", "https://www.quivr.app/"], +}; + +const cspString = Object.entries(ContentSecurityPolicy) + .map(([key, values]) => `${key} ${values.join(" ")}`) + .join("; "); // Define headers const securityHeaders = [ { key: "Content-Security-Policy", - value: ContentSecurityPolicy.replace(/\n/g, ""), + value: cspString, }, { key: "Referrer-Policy",