From 17d5990173ec46e24b822b1f957fecc98057423d Mon Sep 17 00:00:00 2001
From: Jari-Pekka Voutilainen <jari-pekka.voutilainen@gofore.com>
Date: Mon, 29 Jul 2024 15:59:09 +0300
Subject: [PATCH] add browser sentry cdn domain and https protocols

---
 ansible/roles/nginx/templates/nginx_security_headers.conf.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/roles/nginx/templates/nginx_security_headers.conf.j2 b/ansible/roles/nginx/templates/nginx_security_headers.conf.j2
index 384e0ff3..e45ad9aa 100644
--- a/ansible/roles/nginx/templates/nginx_security_headers.conf.j2
+++ b/ansible/roles/nginx/templates/nginx_security_headers.conf.j2
@@ -2,7 +2,7 @@
 add_header X-XSS-Protection "1; mode=block";
 
 # Content security policies allowing content to be loaded from specified addresses
-add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.matomo.cloud platform.twitter.com syndication.twitter.com cdn.syndication.twimg.com *.disqus.com https://disqus.com *.disquscdn.com www.google-analytics.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ js-de.sentry-cdn.com; img-src 'self' *.avoindata.fi *.opendata.fi *.disqus.com *.disquscdn.com *.disquscdn.com www.google-analytics.com data: *.twitter.com *.twimg.com *.disqus.com www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://platform.twitter.com https://ton.twimg.com *.disquscdn.com https://www.google.com https://ajax.googleapis.com; font-src 'self' https://themes.googleusercontent.com; frame-src 'self' syndication.twitter.com https://platform.twitter.com https://disqus.com *.disqus.com https://www.google.com/recaptcha/; object-src 'none'; connect-src 'self' *.matomo.cloud https://links.services.disqus.com wss://realtime.services.disqus.com *.sentry.io";
+add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.matomo.cloud platform.twitter.com syndication.twitter.com cdn.syndication.twimg.com *.disqus.com https://disqus.com *.disquscdn.com www.google-analytics.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://js-de.sentry-cdn.com https://browser.sentry-cdn.com; img-src 'self' *.avoindata.fi *.opendata.fi *.disqus.com *.disquscdn.com *.disquscdn.com www.google-analytics.com data: *.twitter.com *.twimg.com *.disqus.com www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://platform.twitter.com https://ton.twimg.com *.disquscdn.com https://www.google.com https://ajax.googleapis.com; font-src 'self' https://themes.googleusercontent.com; frame-src 'self' syndication.twitter.com https://platform.twitter.com https://disqus.com *.disqus.com https://www.google.com/recaptcha/; object-src 'none'; connect-src 'self' *.matomo.cloud https://links.services.disqus.com wss://realtime.services.disqus.com *.sentry.io";
 
 # Strict Transport Security (use only https)
 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";