Merge pull request #4388 from pulibrary/csp-new-errors

Address recent CSP reports from deploying to prod
pulibrary · Sep 23, 2024 · 96a5b1c · 96a5b1c
2 parents 64451c7 + b1d4f38
commit 96a5b1c
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -9,13 +9,13 @@
   config.content_security_policy do |policy|
     policy.default_src :self
     policy.frame_ancestors :self, 'https://princeton.libwizard.com'
-    policy.connect_src :self, '*.princeton.edu', 'http://localhost:*'
-    policy.font_src    :self, 'https://maxcdn.bootstrapcdn.com', 'https://use.typekit.net'
+    policy.connect_src :self, '*.princeton.edu', 'http://localhost:*', 'https://*.google.com', 'https://*.g.doubleclick.net', 'https://maxcdn.bootstrapcdn.com', 'https://*.typekit.net', 'https://*.stackmapintegration.com', 'https://books.google.com'
+    policy.font_src    :self, :data, 'https://maxcdn.bootstrapcdn.com', 'https://use.typekit.net', 'https://fonts.gstatic.com'
     policy.img_src     :self, :https, :data
     policy.media_src   :self, :data
     policy.script_src  :self, :https, :unsafe_eval, :unsafe_inline
     policy.style_src   :self, :https, :unsafe_inline
-    policy.frame_src   :self, 'https://figgy.princeton.edu'
+    policy.frame_src   :self, 'https://figgy.princeton.edu', 'https://*.doubleclick.net'
     policy.report_uri -> { "https://api.honeybadger.io/v1/browser/csp?api_key=#{ENV.fetch('HONEYBADGER_API_KEY', nil)}&report_only=true&env=#{Rails.env}&context[user_id]=#{respond_to?(:current_user) ? current_user&.id : nil}" }
   end