Fix : allow some url to be allowed in script-src CSP

[asaadam]

Closes #651

Description

add this url, to be allowed in script-src CSP

• *.netlify.com
• unpkg.com
• analytics.google.com
• *.google-analytics.com

[netlify]

✔️ Deploy Preview for wargabantuwarga ready!

🔨 Explore the source changes: 50a1ef1

🔍 Inspect the deploy log: https://app.netlify.com/sites/wargabantuwarga/deploys/6114f11ef14cbd00071106b1

😎 Browse the preview: https://deploy-preview-653--wargabantuwarga.netlify.app

[codecov]

Codecov Report

Merging #653 (50a1ef1) into main (debb88a) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #653   +/-   ##
=======================================
  Coverage   82.06%   82.06%           
=======================================
  Files         124      124           
  Lines        1366     1366           
  Branches      452      452           
=======================================
  Hits         1121     1121           
  Misses        237      237           
  Partials        8        8           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update debb88a...50a1ef1. Read the comment docs.

[mazipan]

Looks good, let's wait to check on the Netlify Preview first ya

[asaadam]

after see the preview
'unsafe-eval' must be allowed.

it's this okay?

[mazipan]

Can we pass different config for different domain?

The error on the Homepage are Gone for now.
But for the CMS still exist.

For page under /admin/* we should allow unsafe-eval

decaporg/decap-cms#2138

[asaadam]

Can we pass different config for different domain?

The error on the Homepage are Gone for now.
But for the CMS still exist.

right now I don't know how we can pass different configs for different domains.

but for now, if we want to quick fix, I will allow 'unsafe-eval'
then we will figure out later

[mazipan]

How about differentiate based on path?

  for = "/admin*"
  [headers.values]
    // Set different value
  for = "/*"
  [headers.values]
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"
    X-Content-Type-Options = "nosniff"
    Referrer-Policy = "same-origin"
    Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.googletagmanager.com *.netlify.com unpkg.com analytics.google.com *.google-analytics.com; img-src 'self' blob: data: https:; frame-ancestors 'none'; "
    Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=()"

[asaadam]

How about differentiate based on path?

  for = "/admin*"
  [headers.values]
    // Set different value
  for = "/*"
  [headers.values]
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"
    X-Content-Type-Options = "nosniff"
    Referrer-Policy = "same-origin"
    Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.googletagmanager.com *.netlify.com unpkg.com analytics.google.com *.google-analytics.com; img-src 'self' blob: data: https:; frame-ancestors 'none'; "
    Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=()"

ah I see, let's give it a shot

[mazipan]

Still not working, so let's try to allow on all pages for now @asaadam

[asaadam]

Still not working, so let's try to allow on all pages for now @asaadam

okay, working on it

[mazipan]

Works in my end.
let's discuss later with @resir014 ya to tackle this issue properly.

[mazipan]

@all-contributors please add @asaadam for code

[allcontributors]

@mazipan

I've put up a pull request to add @asaadam! 🎉