fix: cleanup Content Security Policy config

engineervix · Sep 30, 2022 · 18ef459 · 18ef459
1 parent f6d363b
commit 18ef459
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/env/env.example b/env/env.example
@@ -22,3 +22,4 @@ TENLISTS_API_BASE=http://0.0.0.0:5000/ten-lists/api/v1.0/mp3s
 # (Production Only)
 SERVER_NAME=example.com
 SENTRY_DSN=https://XXXXXXXXX@YYYYY.ingest.sentry.io/ZZZZZZZZ
+CSP_DIRECTIVES="default-src 'self' cdn.jsdelivr.net cdn.example.com;"
diff --git a/tenlists/webapp/ten_lists/__init__.py b/tenlists/webapp/ten_lists/__init__.py
@@ -6,7 +6,7 @@
 from flask_moment import Moment
 from flask_restful import Api
 
-from flask_talisman import Talisman
+from flask_talisman import DEFAULT_CSP_POLICY, Talisman
 from werkzeug.middleware.proxy_fix import ProxyFix
 
 config = {
@@ -37,7 +37,6 @@ def create_app():
     if app.debug:
         toolbar.init_app(app)
     else:
-        csp = {"default-src": ["'self'", "cdn.jsdelivr.net", "analytics.umusebo.com"]}
         permissions_policy = {
             "accelerometer": "()",
             "ambient-light-sensor": "()",
@@ -58,7 +57,10 @@ def create_app():
         }
         # strict_transport_security is already set by NGIИX
         Talisman(
-            app, content_security_policy=csp, strict_transport_security=False, permissions_policy=permissions_policy
+            app,
+            os.getenv("CSP_DIRECTIVES", DEFAULT_CSP_POLICY),
+            strict_transport_security=False,
+            permissions_policy=permissions_policy,
         )
 
     api = Api(app)