From 20c36534e06b5fdecb85898f13c77d4e86100763 Mon Sep 17 00:00:00 2001 From: asaadam Date: Thu, 12 Aug 2021 15:46:37 +0700 Subject: [PATCH 1/5] fix: add csp which needed for netlify cms --- netlify.toml | 2 +- next.config.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/netlify.toml b/netlify.toml index 88516aad4..4c2be3bb4 100644 --- a/netlify.toml +++ b/netlify.toml @@ -11,7 +11,7 @@ X-XSS-Protection = "1; mode=block" X-Content-Type-Options = "nosniff" Referrer-Policy = "same-origin" - Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.googletagmanager.com; img-src 'self' blob: data: https:; frame-ancestors 'none'; " + Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.googletagmanager.com *.netlify.com unpkg.com; img-src 'self' blob: data: https:; frame-ancestors 'none'; " Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=()" [[headers]] for = "/_next/static/*" diff --git a/next.config.js b/next.config.js index 8318bbe42..51c96fb74 100644 --- a/next.config.js +++ b/next.config.js @@ -4,7 +4,7 @@ const withBundleAnalyzer = require("@next/bundle-analyzer")({ const ContentSecurityPolicy = ` default-src 'self'; - script-src 'self' 'unsafe-inline' *.googletagmanager.com 'unsafe-eval'; + script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.netlify.com unpkg.com; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data: https:; frame-ancestors 'none'; From 8375f5be0d49ea40a101c4b1739385b0507712f6 Mon Sep 17 00:00:00 2001 From: asaadam Date: Thu, 12 Aug 2021 15:50:38 +0700 Subject: [PATCH 2/5] fix: allow analytics.google.com --- netlify.toml | 2 +- next.config.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/netlify.toml b/netlify.toml index 4c2be3bb4..9213829c4 100644 --- a/netlify.toml +++ b/netlify.toml @@ -11,7 +11,7 @@ X-XSS-Protection = "1; mode=block" X-Content-Type-Options = "nosniff" Referrer-Policy = "same-origin" - Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.googletagmanager.com *.netlify.com unpkg.com; img-src 'self' blob: data: https:; frame-ancestors 'none'; " + Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.googletagmanager.com *.netlify.com unpkg.com analytics.google.com *.google-analytics.com; img-src 'self' blob: data: https:; frame-ancestors 'none'; " Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=()" [[headers]] for = "/_next/static/*" diff --git a/next.config.js b/next.config.js index 51c96fb74..0d8357198 100644 --- a/next.config.js +++ b/next.config.js @@ -4,7 +4,7 @@ const withBundleAnalyzer = require("@next/bundle-analyzer")({ const ContentSecurityPolicy = ` default-src 'self'; - script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.netlify.com unpkg.com; + script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.netlify.com unpkg.com analytics.google.com *.google-analytics.com; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data: https:; frame-ancestors 'none'; From 9905d071287a11c61be31988254df45a8443cbe8 Mon Sep 17 00:00:00 2001 From: asaadam Date: Thu, 12 Aug 2021 16:17:58 +0700 Subject: [PATCH 3/5] feat: add spesific header values for admin page --- netlify.toml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/netlify.toml b/netlify.toml index 9213829c4..e5200f78f 100644 --- a/netlify.toml +++ b/netlify.toml @@ -4,6 +4,17 @@ # Temporary header config until Netlify supports setting `headers` on `next.config.js` # https://github.com/netlify/netlify-plugin-nextjs/issues/150 + +[[headers]] +for = "/admin*" + [headers.values] + X-Frame-Options = "DENY" + X-XSS-Protection = "1; mode=block" + X-Content-Type-Options = "nosniff" + Referrer-Policy = "same-origin" + Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.netlify.com unpkg.com analytics.google.com *.google-analytics.com; img-src 'self' blob: data: https:; frame-ancestors 'none'; " + Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=()" + [[headers]] for = "/*" [headers.values] @@ -13,6 +24,7 @@ Referrer-Policy = "same-origin" Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.googletagmanager.com *.netlify.com unpkg.com analytics.google.com *.google-analytics.com; img-src 'self' blob: data: https:; frame-ancestors 'none'; " Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=()" + [[headers]] for = "/_next/static/*" [headers.values] From 4ceb99cb5eb74ea31759127b7a5b1a9d5284df3d Mon Sep 17 00:00:00 2001 From: asaadam Date: Thu, 12 Aug 2021 16:20:49 +0700 Subject: [PATCH 4/5] refactor: remove extra space --- netlify.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netlify.toml b/netlify.toml index e5200f78f..fd4652046 100644 --- a/netlify.toml +++ b/netlify.toml @@ -8,7 +8,7 @@ [[headers]] for = "/admin*" [headers.values] - X-Frame-Options = "DENY" + X-Frame-Options = "DENY" X-XSS-Protection = "1; mode=block" X-Content-Type-Options = "nosniff" Referrer-Policy = "same-origin" From 50a1ef16358edc3952d1f03573da5bd801a4cd81 Mon Sep 17 00:00:00 2001 From: asaadam Date: Thu, 12 Aug 2021 16:59:50 +0700 Subject: [PATCH 5/5] fix: add 'unsafe-eval' on netlify.toml --- netlify.toml | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/netlify.toml b/netlify.toml index fd4652046..3a30b33d5 100644 --- a/netlify.toml +++ b/netlify.toml @@ -4,17 +4,6 @@ # Temporary header config until Netlify supports setting `headers` on `next.config.js` # https://github.com/netlify/netlify-plugin-nextjs/issues/150 - -[[headers]] -for = "/admin*" - [headers.values] - X-Frame-Options = "DENY" - X-XSS-Protection = "1; mode=block" - X-Content-Type-Options = "nosniff" - Referrer-Policy = "same-origin" - Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.netlify.com unpkg.com analytics.google.com *.google-analytics.com; img-src 'self' blob: data: https:; frame-ancestors 'none'; " - Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=()" - [[headers]] for = "/*" [headers.values] @@ -22,9 +11,8 @@ for = "/admin*" X-XSS-Protection = "1; mode=block" X-Content-Type-Options = "nosniff" Referrer-Policy = "same-origin" - Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.googletagmanager.com *.netlify.com unpkg.com analytics.google.com *.google-analytics.com; img-src 'self' blob: data: https:; frame-ancestors 'none'; " + Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.googletagmanager.com *.netlify.com unpkg.com analytics.google.com 'unsafe-eval'; img-src 'self' blob: data: https:; frame-ancestors 'none'; " Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=()" - [[headers]] for = "/_next/static/*" [headers.values]