From 3dd51be4abc5682a3e6ac9716d99bd73d2b6e72f Mon Sep 17 00:00:00 2001
From: Anthony Sansone <atsansone@users.noreply.github.com>
Date: Wed, 21 Feb 2024 16:52:40 -0600
Subject: [PATCH] Added CSP test policy (#10157)

The Flutter docs site scores a [C for
security](https://securityheaders.com/?q=https%3A%2F%2Fdocs.flutter.dev).
One factor is the Content Security Policy, an HTTP header that can
prevent [Cross Site Scripting
(XSS)](https://securityheaders.com/?q=https%3A%2F%2Fdocs.flutter.dev)
attacks.

This PR adds the CSP to the Flutter docs site HTTP headers. It would
resemble the fix applied to the Dart homepage in
[Dart PR #3540](https://github.com/dart-lang/site-www/pull/3540) based
on [Dart issue #1521](https://github.com/dart-lang/site-www/issues/1521)

This change is based on the pub.dev site. Fixes #6381

Co-authored-by: Brett Morgan <brettmorgan@google.com>
---
 firebase.json | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/firebase.json b/firebase.json
index 7fc2b93305f..14e13202062 100644
--- a/firebase.json
+++ b/firebase.json
@@ -620,8 +620,22 @@
       {
         "source": "**",
         "headers": [
-          { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin"},
-          { "key": "X-Content-Type-Options", "value": "nosniff"}
+          {
+            "key": "Referrer-Policy",
+            "value": "strict-origin-when-cross-origin"
+          },
+          {
+            "key": "X-Content-Type-Options",
+            "value": "nosniff"
+          },
+          {
+            "key": "Content-Security-Policy-Report-Only",
+            "value": "default-src 'self' https:; font-src 'self' data: https://fonts.googleapis.com/ https://fonts.gstatic.com/; img-src 'self' https: data:; manifest-src 'none'; object-src 'none'; script-src 'self' 'unsafe-inline' 'sha256-TLFf6uphGKcmsQh139FXW+zI8+m+KYC/3ai/rTu4NO0=' 'sha256-BOF631Nskv2A6eetluVBrNcDbYRYd/+b3wU9NBtGKGQ=' 'sha256-ye5TuohbcxBNy6HcVWdwfRHAUaHjKdBTXjRsm92zCdo=' 'sha256-GdPtwIl3lB8GPexRo/QmApVAGQ/y1zRYuxJPZTpT6TQ=' 'sha512-3gJwYpMe3QewGELv8k/BX9vcqhryRdzRMxVfq6ngyWXwo03GFEzjsUm8Q7RZcHPHksttq7/GFoxjCVUjkjvPdw==' 'sha512-ubuT8Z88WxezgSqf3RLuNi5lmjstiJcyezx34yIU2gAHonIi27Na7atqzUZCOoY4CExaoFumzOsFQ2Ch+I/HCw==' 'sha512-7rusk8kGPFynZWu26OKbTeI+QPoYchtxsmPeBqkHIEXJxeun4yJ4ISYe7C6sz9wdxeE1Gk3VxsIWgCZTc+vX3g==' 'sha512-7O5pXpc0oCRrxk8RUfDYFgn0nO1t+jLuIOQdOMRp4APB7uZ4vSjspzp5y6YDtDs4VzUSTbWzBFZ/LKJhnyFOKw==' 'sha512-nlp9/l96/EpjYBx7EP7pGASVXNe80hGhYAUrjeXnu/fyF5Py0/RXav4BBNs7n5Hx1WFhOEOWSAVjGeC3oKxDVQ=='; style-src 'self' https://unpkg.com/ https://pub.dartlang.org/static/ 'unsafe-inline' https://fonts.googleapis.com/ https://gstatic.com https://www.gstatic.com/ https://tagmanager.google.com https://accounts.google.com/gsi/style; frame-src 'self' https://youtube.com https://*.youtube.com https://dartpad.dev https://*.dartpad.dev; media-src 'self' https://youtube.com https://*.youtube.com; require-trusted-types-for 'script'"
+          },
+          {
+            "key": "X-Frame-Options",
+            "value": "'SAMEORIGIN' always;"
+          }
         ]
       }
     ]