fix - wrong secrets used (#888)

* fix - wrong secrets used * pass in client side key in directly * remove quote * remove path from connect-src * fix - script src * update CSP * remove semicolon
opengovsg · Nov 18, 2024 · 256fc52 · 256fc52
1 parent dab16ba
commit 256fc52
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 11 deletions.
diff --git a/.github/workflows/aws_deploy.yml b/.github/workflows/aws_deploy.yml
@@ -166,8 +166,8 @@ jobs:
             NEXT_PUBLIC_S3_REGION=${{ inputs.app-s3-region }}
             NEXT_PUBLIC_S3_ASSETS_DOMAIN_NAME=${{ inputs.app-s3-assets-domain-name }}
             NEXT_PUBLIC_S3_ASSETS_BUCKET_NAME=${{ inputs.app-s3-assets-bucket-name }}
-            NEXT_PUBLIC_GROWTHBOOK_CLIENT_KEY:${{ secrets.GROWTHBOOK_CLIENT_KEY }}
-            NEXT_PUBLIC_INTERCOM_APP_ID:${{ secrets.INTERCOM_APP_ID }}
+            NEXT_PUBLIC_GROWTHBOOK_CLIENT_KEY=sdk-r07MHTLLgfdVDThi
+            NEXT_PUBLIC_INTERCOM_APP_ID=jv2tjc3g
 
   deploy:
     name: Deploy image to ECS

diff --git a/apps/studio/next.config.mjs b/apps/studio/next.config.mjs
@@ -17,28 +17,92 @@ TODO: Removing this CSP first
 const ContentSecurityPolicy = `
   default-src 'none';
   base-uri 'self';
-  font-src 'self' https: data:;
-  form-action 'self';
+  font-src
+    'self'
+    https:
+    data:
+    https://js.intercomcdn.com
+    https://fonts.intercomcdn.com
+    ;
+  form-action
+    'self'
+    https://intercom.help
+    https://api-iam.intercom.io
+    https://api-iam.eu.intercom.io
+    https://api-iam.au.intercom.io
+    ;
   frame-ancestors 'self';
   img-src * data: blob:;
-  frame-src 'self';
+  frame-src
+    'self'
+    https://intercom-sheets.com
+    https://www.intercom-reporting.com 
+    https://www.youtube.com
+    https://player.vimeo.com
+    https://fast.wistia.net
+    ;
   object-src 'none';
-  script-src 'self' 'unsafe-eval' https://*.wogaa.sg;
-  style-src 'self' https: 'unsafe-inline';
+  script-src
+    'self'
+    'unsafe-eval'
+    https://*.wogaa.sg
+    https://app.intercom.io
+    https://widget.intercom.io
+    https://js.intercomcdn.com
+    ;
+  style-src
+    'self'
+    https:
+    'unsafe-inline'
+    ;
+  media-src
+    https://js.intercomcdn.com
+    https://downloads.intercomcdn.com
+    https://downloads.intercomcdn.eu
+    https://downloads.au.intercomcdn.com
+    ;
   connect-src
     'self'
     https://schema.isomer.gov.sg
     https://browser-intake-datadoghq.com
     https://*.browser-intake-datadoghq.com
-    https://vitals.vercel-insights.com/v1/vitals
+    https://vitals.vercel-insights.com
     https://*.amazonaws.com
     https://*.wogaa.sg
     https://placehold.co
-    https://cdn.growthbook.io/api/features/${env.NEXT_PUBLIC_GROWTHBOOK_CLIENT_KEY}
-    https://widget.intercom.io/widget/${env.NEXT_PUBLIC_INTERCOM_APP_ID}
+    https://cdn.growthbook.io
     ${env.NODE_ENV === "production" ? "https://isomer-user-content.by.gov.sg" : "https://*.by.gov.sg"}
+    https://via.intercom.io
+    https://api.intercom.io
+    https://api.au.intercom.io
+    https://api.eu.intercom.io
+    https://api-iam.intercom.io
+    https://api-iam.eu.intercom.io
+    https://api-iam.au.intercom.io 
+    https://api-ping.intercom.io  
+    https://nexus-websocket-a.intercom.io
+    wss://nexus-websocket-a.intercom.io
+    https://nexus-websocket-b.intercom.io
+    wss://nexus-websocket-b.intercom.io
+    https://nexus-europe-websocket.intercom.io 
+    wss://nexus-europe-websocket.intercom.io 
+    https://nexus-australia-websocket.intercom.io
+    wss://nexus-australia-websocket.intercom.io 
+    https://uploads.intercomcdn.com
+    https://uploads.intercomcdn.eu 
+    https://uploads.au.intercomcdn.com 
+    https://uploads.eu.intercomcdn.com
+    https://uploads.intercomusercontent.com
+    ;
+  worker-src
+    'self'
+    blob:
+    https://intercom-sheets.com
+    https://www.intercom-reporting.com 
+    https://www.youtube.com
+    https://player.vimeo.com
+    https://fast.wistia.net
     ;
-  worker-src 'self' blob:;
   ${env.NODE_ENV === "production" ? "upgrade-insecure-requests" : ""}
 `