From 0e50c50bde60d9bd9e67ba00bf2ac58d5e231346 Mon Sep 17 00:00:00 2001 From: Ben Hardill Date: Wed, 31 Jul 2024 12:52:56 +0100 Subject: [PATCH 1/3] Remove limits on img-src The last update tried to add a wildcard for all the different google world wide domains but it was not valid. Rather than playing wack-a-mole decided to just allow images from everywhere. This feels better than an incomplete list and not that large a threat. --- forge/forge.js | 25 ------------------------- 1 file changed, 25 deletions(-) diff --git a/forge/forge.js b/forge/forge.js index 68e74d296b..876bf07ff9 100644 --- a/forge/forge.js +++ b/forge/forge.js @@ -265,7 +265,6 @@ module.exports = async (options = {}) => { 'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"], 'worker-src': ["'self'", 'blob:'], 'connect-src': ["'self'"], - 'img-src': ["'self'", 'data:', 'flowfuse.com', 'www.gravatar.com'], 'font-src': ["'self'", 'data'], 'style-src': ["'self'", 'https:', "'unsafe-inline'"], 'upgrade-insecure-requests': null, @@ -337,20 +336,6 @@ module.exports = async (options = {}) => { } else { contentSecurityPolicy.directives['script-src'] = googleDomains } - const googleImageDomains = [ - 'www.google.com', - 'www.google.co.*', - 'www.google.com.*', - 'www.google.*', - 'googleads.g.doubleclick.net', - 'www.googleadservices.com', - 'www.googletagmanager.com' - ] - if (contentSecurityPolicy.directives['img-src'] && Array.isArray(contentSecurityPolicy.directives['img-src'])) { - contentSecurityPolicy.directives['img-src'].push(...googleImageDomains) - } else { - contentSecurityPolicy.directives['img-src'] = googleImageDomains - } const googleConnectDomains = [ 'www.google.com', 'google.com' @@ -395,16 +380,6 @@ module.exports = async (options = {}) => { } else { contentSecurityPolicy.directives['script-src'] = hubspotDomains } - const hubspotImageDomains = [ - '*.hsforms.com', - '*.hubspot.com', - '*.hsforms.net' - ] - if (contentSecurityPolicy.directives['img-src'] && Array.isArray(contentSecurityPolicy.directives['img-src'])) { - contentSecurityPolicy.directives['img-src'].push(...hubspotImageDomains) - } else { - contentSecurityPolicy.directives['img-src'] = hubspotImageDomains - } const hubspotConnectDomains = [ '*.hubspot.com', '*.hubapi.com', From 16c123081e7cc51a5167d991d557ffdc372484b3 Mon Sep 17 00:00:00 2001 From: Ben Hardill Date: Mon, 5 Aug 2024 09:21:32 +0100 Subject: [PATCH 2/3] Allow all img-src --- forge/forge.js | 1 + 1 file changed, 1 insertion(+) diff --git a/forge/forge.js b/forge/forge.js index 876bf07ff9..a7ff4c5873 100644 --- a/forge/forge.js +++ b/forge/forge.js @@ -265,6 +265,7 @@ module.exports = async (options = {}) => { 'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"], 'worker-src': ["'self'", 'blob:'], 'connect-src': ["'self'"], + 'img-src': ["'self'", '*'], 'font-src': ["'self'", 'data'], 'style-src': ["'self'", 'https:', "'unsafe-inline'"], 'upgrade-insecure-requests': null, From 503eb022d43728ffda1d00ee3fb397f79759bf4c Mon Sep 17 00:00:00 2001 From: Ben Hardill Date: Mon, 5 Aug 2024 11:54:43 +0100 Subject: [PATCH 3/3] add `data:` back --- forge/forge.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/forge/forge.js b/forge/forge.js index a7ff4c5873..596ec68e77 100644 --- a/forge/forge.js +++ b/forge/forge.js @@ -265,8 +265,8 @@ module.exports = async (options = {}) => { 'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"], 'worker-src': ["'self'", 'blob:'], 'connect-src': ["'self'"], - 'img-src': ["'self'", '*'], - 'font-src': ["'self'", 'data'], + 'img-src': ["'self'", 'data:', '*'], + 'font-src': ["'self'", 'data:'], 'style-src': ["'self'", 'https:', "'unsafe-inline'"], 'upgrade-insecure-requests': null, 'frame-ancestors': ["'self'"]