Restrict CSP a bit more (tighten report-only default-src to self)

mozilla · Nov 21, 2024 · 0d43d4c · 0d43d4c
1 parent 98d347e
commit 0d43d4c
Showing 1 changed file with 2 additions and 4 deletions.
diff --git a/bedrock/settings/__init__.py b/bedrock/settings/__init__.py
@@ -28,16 +28,13 @@
 ]
 _csp_img_src = [
     "data:",
-    "mozilla.org",
     "www.googletagmanager.com",
     "www.google-analytics.com",
     "images.ctfassets.net",
 ]
 _csp_script_src = [
-    # TODO fix things so that we don't need this
+    # TODO change settings so we don't need unsafes even in dev
     csp.constants.UNSAFE_INLINE,
-    # TODO snap.svg.js passes a string to Function() which is
-    # blocked without unsafe-eval. Find a way to remove that.
     csp.constants.UNSAFE_EVAL,
     "www.googletagmanager.com",
     "www.google-analytics.com",
@@ -125,6 +122,7 @@
     CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["report-uri"] = csp_ro_report_uri
 
     # CSP directive updates we're testing that we hope to move to the enforced policy.
+    CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["default-src"] = [csp.constants.SELF]
     CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["frame-ancestors"] = [csp.constants.NONE]
     CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["style-src"].remove(csp.constants.UNSAFE_INLINE)