From aea032d31c94e81f629c6049e4d1929d9a91ee10 Mon Sep 17 00:00:00 2001
From: James Cobb <jcobb@redhat.com>
Date: Tue, 15 Oct 2024 12:21:00 -0600
Subject: [PATCH 1/2] move CSP and add unsafe-inline, remove sha

---
 _includes/head-csp.html | 24 ++++++++++++++++++++++++
 _layouts/base.html      |  3 +--
 2 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 _includes/head-csp.html

diff --git a/_includes/head-csp.html b/_includes/head-csp.html
new file mode 100644
index 00000000000..3e10441bbd8
--- /dev/null
+++ b/_includes/head-csp.html
@@ -0,0 +1,24 @@
+<meta http-equiv="Content-Security-Policy" content="
+  default-src https://dpm.demdex.net https://route-default-test-mscherer-matamo.apps.ospo-osci.z3b1.p1.openshiftapps.com/ {{ site.search.host }}; 
+  script-src 'self' 'unsafe-inline' 'unsafe-eval'
+        {{ search_script }} 
+        assets.adobedtm.com
+        js.bizographics.com
+        https://www.redhat.com
+        https://static.redhat.com
+        https://app.requestly.io/
+        jsonip.com 
+        https://ajax.googleapis.com
+        https://use.fontawesome.com
+        https://app.mailjet.com
+        http://www.youtube.com
+        http://www.googleadservices.com
+        https://googleads.g.doubleclick.net
+        https://giscus.app
+        https://route-default-test-mscherer-matamo.apps.ospo-osci.z3b1.p1.openshiftapps.com/;
+
+  style-src 'self' https://fonts.googleapis.com https://use.fontawesome.com; 
+  img-src 'self' * data:; 
+  media-src 'self'; 
+  frame-src https://redhat.demdex.net https://www.youtube.com https://embed.restream.io https://app.mailjet.com http://xy0p2.mjt.lu https://mj.quarkus.io https://giscus.app; base-uri 'none'; object-src 'none'; form-action 'none'; 
+  font-src 'self' https://use.fontawesome.com https://fonts.gstatic.com;" />
\ No newline at end of file
diff --git a/_layouts/base.html b/_layouts/base.html
index 01f4c153e78..7a36f1dbeb0 100755
--- a/_layouts/base.html
+++ b/_layouts/base.html
@@ -31,8 +31,7 @@
   <title>{{ page.title }}{{ page_title_version_suffix }}{% unless page_title_starts_with_quarkus or page_title_ends_with_quarkus %} - Quarkus{% endunless %}</title>
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
-  <meta http-equiv="Content-Security-Policy" content="default-src https://dpm.demdex.net https://route-default-test-mscherer-matamo.apps.ospo-osci.z3b1.p1.openshiftapps.com/ {{ site.search.host }}; script-src 'self' 'unsafe-eval' {{ search_script }} 'sha256-ANpuoVzuSex6VhqpYgsG25OHWVA1I+F6aGU04LoI+5s=' 'sha256-ipy9P/3rZZW06mTLAR0EnXvxSNcnfSDPLDuh3kzbB1w=' 'sha256-+5qDxnbsqhFKZIIfofMhmVgNChsVrKoHUdaQ2EMs9aU=' 'sha256-9GX2EYB8fryOX9sALbWzZ7TVEZjRANod3mzT9mJK2A0=' 'sha256-RqEzO7A/IXS1BIUL4ZdgDljo0D5dRmBT22Oe7buZDT8=' 'sha256-OOu4endfeFMVqh4Q00S7byTqB4q1D6GextRjoysxGbg=' 'sha256-ioF25X2HdUdCugCVyJjxXVOma9G9P15kHxEDtSRNluE=' 'sha256-PeUeMwkRRyljEhJ9YfrDnY7Fs7YaSekiWO+UaJHD6P4=' 'sha256-/l3yGVvvIIlcKqPU1Ix7WzsjlDZYxSTUgNauy7yiunY=' js.bizographics.com https://www.redhat.com https://static.redhat.com assets.adobedtm.com https://app.requestly.io/ jsonip.com https://ajax.googleapis.com https://use.fontawesome.com https://app.mailjet.com http://www.youtube.com http://www.googleadservices.com https://googleads.g.doubleclick.net https://dpm.demdex.net https://giscus.app https://route-default-test-mscherer-matamo.apps.ospo-osci.z3b1.p1.openshiftapps.com/; style-src 'self' https://fonts.googleapis.com https://use.fontawesome.com; img-src 'self'
-  https://route-default-test-mscherer-matamo.apps.ospo-osci.z3b1.p1.openshiftapps.com/ * data:; media-src 'self'; frame-src https://redhat.demdex.net https://www.youtube.com https://embed.restream.io https://app.mailjet.com http://xy0p2.mjt.lu https://mj.quarkus.io https://giscus.app; base-uri 'none'; object-src 'none'; form-action 'none'; font-src 'self' https://use.fontawesome.com https://fonts.gstatic.com;" />
+  {% include head-csp.html %}
   <script id="adobe_dtm" src="https://www.redhat.com/dtm.js" type="text/javascript"></script>
   <script src="{{ '/assets/javascript/highlight.pack.js' | relative_url }}" type="text/javascript"></script>
   <META HTTP-EQUIV='X-XSS-Protection' CONTENT="1; mode=block">

From 656a67dee2f1973c9fa03e95019f024ad954ce37 Mon Sep 17 00:00:00 2001
From: James Cobb <jcobb@redhat.com>
Date: Tue, 15 Oct 2024 12:53:47 -0600
Subject: [PATCH 2/2] update adobe url to allow for https

---
 _includes/head-csp.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_includes/head-csp.html b/_includes/head-csp.html
index 3e10441bbd8..96f95b436b0 100644
--- a/_includes/head-csp.html
+++ b/_includes/head-csp.html
@@ -2,7 +2,7 @@
   default-src https://dpm.demdex.net https://route-default-test-mscherer-matamo.apps.ospo-osci.z3b1.p1.openshiftapps.com/ {{ site.search.host }}; 
   script-src 'self' 'unsafe-inline' 'unsafe-eval'
         {{ search_script }} 
-        assets.adobedtm.com
+        https://assets.adobedtm.com
         js.bizographics.com
         https://www.redhat.com
         https://static.redhat.com