From 52fd081637a3cb0f6eff4125b3a3817d13db53b8 Mon Sep 17 00:00:00 2001 From: Michael Sober Date: Wed, 20 Aug 2025 15:08:17 +0200 Subject: [PATCH 1/2] fix: csp violation --- src/pages/_document.tsx | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/pages/_document.tsx b/src/pages/_document.tsx index 51c80b46482..1e0a06f9bb5 100644 --- a/src/pages/_document.tsx +++ b/src/pages/_document.tsx @@ -1,5 +1,6 @@ import crypto from 'crypto'; import Document, { Html, Head, Main, NextScript } from 'next/document'; +import { ALGOLIA_APP_ID } from '../constants/algolia'; const cspHashOf = (text) => { const hash = crypto.createHash('sha256'); @@ -14,7 +15,7 @@ const ANALYTICS_CSP = { 'https://aws.demdex.net', 'https://dpm.demdex.net', 'https://cm.everesttech.net', - '*.shortbread.aws.dev' + 'https://prod.assets.shortbread.aws.dev https://prod.tools.shortbread.aws https://prod.tools.shortbread.aws.dev' ], img: [ 'https://amazonwebservices.d2.sc.omtrdc.net', @@ -23,8 +24,12 @@ const ANALYTICS_CSP = { 'https://cm.everesttech.net' ], frame: ['https://aws.demdex.net', 'https://dpm.demdex.net'], - script: ['*.shortbread.aws.dev'], - style: ['*.shortbread.aws.dev'] + script: [ + 'https://prod.assets.shortbread.aws.dev https://prod.tools.shortbread.aws https://prod.log.shortbread.aws.dev' + ], + style: [ + 'https://prod.assets.shortbread.aws.dev https://prod.tools.shortbread.aws https://prod.log.shortbread.aws.dev' + ] }, prod: { connect: [ @@ -71,7 +76,7 @@ const getCspContent = (context) => { ' ' )} ${ANALYTICS_CSP.alpha.connect.join( ' ' - )} https://*.algolia.net https://*.algolianet.com *.amazonaws.com; + )} https://${ALGOLIA_APP_ID}-dsn.algolia.net https://${ALGOLIA_APP_ID}-1.algolianet.com https://${ALGOLIA_APP_ID}-2.algolianet.com https://${ALGOLIA_APP_ID}-3.algolianet.com; img-src 'self' https://img.shields.io data: ${ANALYTICS_CSP.all.img.join( ' ' )} ${ANALYTICS_CSP.alpha.img.join(' ')}; @@ -94,7 +99,7 @@ const getCspContent = (context) => { ' ' )} ${ANALYTICS_CSP.prod.connect.join( ' ' - )} https://*.algolia.net https://*.algolianet.com *.amazonaws.com; + )} https://${ALGOLIA_APP_ID}-dsn.algolia.net https://${ALGOLIA_APP_ID}-1.algolianet.com https://${ALGOLIA_APP_ID}-2.algolianet.com https://${ALGOLIA_APP_ID}-3.algolianet.com; img-src 'self' https://img.shields.io ${ANALYTICS_CSP.all.img.join( ' ' )} ${ANALYTICS_CSP.prod.img.join(' ')}; From 3b4e1e7f871c6a277f26dddc1a2b2d61aec70435 Mon Sep 17 00:00:00 2001 From: Michael Sober Date: Wed, 20 Aug 2025 17:27:37 +0200 Subject: [PATCH 2/2] fix: updated shortbread rules --- src/pages/_document.tsx | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/src/pages/_document.tsx b/src/pages/_document.tsx index 1e0a06f9bb5..da445dbff4b 100644 --- a/src/pages/_document.tsx +++ b/src/pages/_document.tsx @@ -15,7 +15,8 @@ const ANALYTICS_CSP = { 'https://aws.demdex.net', 'https://dpm.demdex.net', 'https://cm.everesttech.net', - 'https://prod.assets.shortbread.aws.dev https://prod.tools.shortbread.aws https://prod.tools.shortbread.aws.dev' + 'https://prod.tools.shortbread.aws.dev', + 'https://prod.log.shortbread.aws.dev' ], img: [ 'https://amazonwebservices.d2.sc.omtrdc.net', @@ -24,12 +25,8 @@ const ANALYTICS_CSP = { 'https://cm.everesttech.net' ], frame: ['https://aws.demdex.net', 'https://dpm.demdex.net'], - script: [ - 'https://prod.assets.shortbread.aws.dev https://prod.tools.shortbread.aws https://prod.log.shortbread.aws.dev' - ], - style: [ - 'https://prod.assets.shortbread.aws.dev https://prod.tools.shortbread.aws https://prod.log.shortbread.aws.dev' - ] + script: ['https://prod.assets.shortbread.aws.dev'], + style: ['https://prod.assets.shortbread.aws.dev'] }, prod: { connect: [