From 256fc52e2bece2192bd6a31965ee85014e923cf4 Mon Sep 17 00:00:00 2001 From: Adrian Goh Jun Wei Date: Mon, 18 Nov 2024 19:27:27 +0800 Subject: [PATCH] fix - wrong secrets used (#888) * fix - wrong secrets used * pass in client side key in directly * remove quote * remove path from connect-src * fix - script src * update CSP * remove semicolon --- .github/workflows/aws_deploy.yml | 4 +- apps/studio/next.config.mjs | 82 ++++++++++++++++++++++++++++---- 2 files changed, 75 insertions(+), 11 deletions(-) diff --git a/.github/workflows/aws_deploy.yml b/.github/workflows/aws_deploy.yml index ebddd6e59c..8df05caa90 100644 --- a/.github/workflows/aws_deploy.yml +++ b/.github/workflows/aws_deploy.yml @@ -166,8 +166,8 @@ jobs: NEXT_PUBLIC_S3_REGION=${{ inputs.app-s3-region }} NEXT_PUBLIC_S3_ASSETS_DOMAIN_NAME=${{ inputs.app-s3-assets-domain-name }} NEXT_PUBLIC_S3_ASSETS_BUCKET_NAME=${{ inputs.app-s3-assets-bucket-name }} - NEXT_PUBLIC_GROWTHBOOK_CLIENT_KEY:${{ secrets.GROWTHBOOK_CLIENT_KEY }} - NEXT_PUBLIC_INTERCOM_APP_ID:${{ secrets.INTERCOM_APP_ID }} + NEXT_PUBLIC_GROWTHBOOK_CLIENT_KEY=sdk-r07MHTLLgfdVDThi + NEXT_PUBLIC_INTERCOM_APP_ID=jv2tjc3g deploy: name: Deploy image to ECS diff --git a/apps/studio/next.config.mjs b/apps/studio/next.config.mjs index 2e8dc78a97..131adb8367 100644 --- a/apps/studio/next.config.mjs +++ b/apps/studio/next.config.mjs @@ -17,28 +17,92 @@ TODO: Removing this CSP first const ContentSecurityPolicy = ` default-src 'none'; base-uri 'self'; - font-src 'self' https: data:; - form-action 'self'; + font-src + 'self' + https: + data: + https://js.intercomcdn.com + https://fonts.intercomcdn.com + ; + form-action + 'self' + https://intercom.help + https://api-iam.intercom.io + https://api-iam.eu.intercom.io + https://api-iam.au.intercom.io + ; frame-ancestors 'self'; img-src * data: blob:; - frame-src 'self'; + frame-src + 'self' + https://intercom-sheets.com + https://www.intercom-reporting.com + https://www.youtube.com + https://player.vimeo.com + https://fast.wistia.net + ; object-src 'none'; - script-src 'self' 'unsafe-eval' https://*.wogaa.sg; - style-src 'self' https: 'unsafe-inline'; + script-src + 'self' + 'unsafe-eval' + https://*.wogaa.sg + https://app.intercom.io + https://widget.intercom.io + https://js.intercomcdn.com + ; + style-src + 'self' + https: + 'unsafe-inline' + ; + media-src + https://js.intercomcdn.com + https://downloads.intercomcdn.com + https://downloads.intercomcdn.eu + https://downloads.au.intercomcdn.com + ; connect-src 'self' https://schema.isomer.gov.sg https://browser-intake-datadoghq.com https://*.browser-intake-datadoghq.com - https://vitals.vercel-insights.com/v1/vitals + https://vitals.vercel-insights.com https://*.amazonaws.com https://*.wogaa.sg https://placehold.co - https://cdn.growthbook.io/api/features/${env.NEXT_PUBLIC_GROWTHBOOK_CLIENT_KEY} - https://widget.intercom.io/widget/${env.NEXT_PUBLIC_INTERCOM_APP_ID} + https://cdn.growthbook.io ${env.NODE_ENV === "production" ? "https://isomer-user-content.by.gov.sg" : "https://*.by.gov.sg"} + https://via.intercom.io + https://api.intercom.io + https://api.au.intercom.io + https://api.eu.intercom.io + https://api-iam.intercom.io + https://api-iam.eu.intercom.io + https://api-iam.au.intercom.io + https://api-ping.intercom.io + https://nexus-websocket-a.intercom.io + wss://nexus-websocket-a.intercom.io + https://nexus-websocket-b.intercom.io + wss://nexus-websocket-b.intercom.io + https://nexus-europe-websocket.intercom.io + wss://nexus-europe-websocket.intercom.io + https://nexus-australia-websocket.intercom.io + wss://nexus-australia-websocket.intercom.io + https://uploads.intercomcdn.com + https://uploads.intercomcdn.eu + https://uploads.au.intercomcdn.com + https://uploads.eu.intercomcdn.com + https://uploads.intercomusercontent.com + ; + worker-src + 'self' + blob: + https://intercom-sheets.com + https://www.intercom-reporting.com + https://www.youtube.com + https://player.vimeo.com + https://fast.wistia.net ; - worker-src 'self' blob:; ${env.NODE_ENV === "production" ? "upgrade-insecure-requests" : ""} `