Merge pull request #11945 from raisedadead/fix/csp-optimizely-bootstrap

fix(csp): add optimizely for csp errors in production
2016-12-09 11:52:28 -08:00 · 2016-12-09 11:52:28 -08:00 · 19a27ac479
parent 70845c9609 94bc4d310e
commit 19a27ac479
1 changed files with 14 additions and 5 deletions
--- a/server/middlewares/csp.js
+++ b/server/middlewares/csp.js
@ -5,13 +5,19 @@ let trusted = [
 ];

 if (process.env.NODE_ENV !== 'production') {
-  trusted.push('ws://localhost:3001');
+  trusted = trusted.concat([
+    'ws://localhost:3000'
+  ]);
 }

 export default function csp() {
  return helmet.contentSecurityPolicy({
    directives: {
-      defaultSrc: trusted.concat('*.optimizely.com'),
+      defaultSrc: trusted.concat([
+        'https://*.cloudflare.com',
+        '*.cloudflare.com',
+        'https://*.optimizely.com'
+      ]),
      scriptSrc: [
        "'unsafe-eval'",
        "'unsafe-inline'",
@ -27,7 +33,8 @@ export default function csp() {
        '*.twimg.com',
        'https://*.twimg.com',
        '*.youtube.com',
-        '*.ytimg.com'
+        '*.ytimg.com',
+        'https://*.optimizely.com'
      ].concat(trusted),
      styleSrc: [
        "'unsafe-inline'",
@ -36,7 +43,8 @@ export default function csp() {
        '*.bootstrapcdn.com',
        'https://*.bootstrapcdn.com',
        '*.cloudflare.com',
-        'https://*.cloudflare.com'
+        'https://*.cloudflare.com',
+        'https://*.optimizely.com'
      ].concat(trusted),
      fontSrc: [
        '*.cloudflare.com',
@ -44,7 +52,8 @@ export default function csp() {
        '*.bootstrapcdn.com',
        '*.googleapis.com',
        '*.gstatic.com',
-        'https://*.bootstrapcdn.com'
+        'https://*.bootstrapcdn.com',
+        'https://*.optimizely.com'
      ].concat(trusted),
      imgSrc: [
        // allow all input since we have user submitted images for