Update CSP for cloudflare

highemerly · Oct 9, 2023 · 112c51c · 112c51c
1 parent b1e6ce2
commit 112c51c
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -19,7 +19,10 @@ def host_to_url(str)
 media_host ||= host_to_url(ENV['S3_HOSTNAME']) if ENV['S3_ENABLED'] == 'true'
 media_host ||= assets_host
 
-instance_ticker_host     = 'https://34.si'
+instance_ticker_host             = 'https://34.si'
+cloudflare_insights_script_host  = 'https://static.cloudflareinsights.com'
+cloudflare_insights_connect_host = 'https://cloudflareinsights.com'
+cloudflare_mirage_script_host    = 'https://ajax.cloudflare.com'
 
 def sso_host
   return unless ENV['ONE_CLICK_SSO_LOGIN'] == 'true'
@@ -66,8 +69,8 @@ def sso_host
     p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url, *webpacker_urls
     p.script_src  :self, :unsafe_inline, :unsafe_eval, assets_host
   else
-    p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url
-    p.script_src  :self, assets_host, "'wasm-unsafe-eval'"
+    p.connect_src :self, :data, :blob, assets_host, media_host, cloudflare_insights_connect_host, Rails.configuration.x.streaming_api_base_url
+    p.script_src  :self, assets_host, cloudflare_insights_script_host, cloudflare_mirage_script_host, "'wasm-unsafe-eval'"
   end
 end