CSP configuration duplicates

[janbrasna]

Description

1. The img-src directive lists both *.mozilla.org and mozilla.org, this is only some leftover from recent changes / testing.
2. The prod CSP includes staging/nonprod CJ affiliate host. Is there a way to have it only in some form of dev extras or other env setting to not allow it on prod? Or is it actually intended to be able to test nonprod CJms from prod bedrock?
3. Is the own sentry.prod.mozaws still being used?

Steps to reproduce

~ $ https -v HEAD www.mozilla.org/en-US (📟 ⎋)

Expected result

Content-Security-Policy: connect-src stage.cjms.nonprod.cloudops.mozgcp.net https://accounts.firefox.com/ sentry.prod.mozaws.net www.google-analytics.com 'self' cjms.services.mozilla.com o1069899.sentry.io *.mozilla.net *.mozilla.com region1.google-analytics.com www.googletagmanager.com *.mozilla.org o1069899.ingest.sentry.io; default-src 'self' *.mozilla.net *.mozilla.com *.mozilla.org; frame-src accounts.firefox.com www.google-analytics.com 'self' *.mozilla.net *.mozilla.com js.stripe.com www.youtube.com www.googletagmanager.com *.mozilla.org; style-src 'self' *.mozilla.net *.mozilla.com *.mozilla.org 'unsafe-inline'; img-src www.google-analytics.com creativecommons.org 'self' *.mozilla.net *.mozilla.com mozilla.org images.ctfassets.net www.googletagmanager.com *.mozilla.org data:; font-src 'self' *.mozilla.net *.mozilla.com *.mozilla.org; child-src accounts.firefox.com www.google-analytics.com 'self' *.mozilla.net *.mozilla.com js.stripe.com www.youtube.com www.googletagmanager.com *.mozilla.org; script-src www.google-analytics.com s.ytimg.com 'self' 'unsafe-eval' tagmanager.google.com *.mozilla.net *.mozilla.com js.stripe.com www.youtube.com www.googletagmanager.com *.mozilla.org 'unsafe-inline'

Actual result

Content-Security-Policy: connect-src stage.cjms.nonprod.cloudops.mozgcp.net https://accounts.firefox.com/ sentry.prod.mozaws.net www.google-analytics.com 'self' cjms.services.mozilla.com o1069899.sentry.io *.mozilla.net *.mozilla.com region1.google-analytics.com www.googletagmanager.com *.mozilla.org o1069899.ingest.sentry.io; default-src 'self' *.mozilla.net *.mozilla.com *.mozilla.org; frame-src accounts.firefox.com www.google-analytics.com 'self' *.mozilla.net *.mozilla.com js.stripe.com www.youtube.com www.googletagmanager.com *.mozilla.org; style-src 'self' *.mozilla.net *.mozilla.com *.mozilla.org 'unsafe-inline'; img-src www.google-analytics.com creativecommons.org 'self' *.mozilla.net *.mozilla.com mozilla.org images.ctfassets.net www.googletagmanager.com *.mozilla.org data:; font-src 'self' *.mozilla.net *.mozilla.com *.mozilla.org; child-src accounts.firefox.com www.google-analytics.com 'self' *.mozilla.net *.mozilla.com js.stripe.com www.youtube.com www.googletagmanager.com *.mozilla.org; script-src www.google-analytics.com s.ytimg.com 'self' 'unsafe-eval' tagmanager.google.com *.mozilla.net *.mozilla.com js.stripe.com www.youtube.com www.googletagmanager.com *.mozilla.org 'unsafe-inline'

[janbrasna]

3. Is the own sentry.prod.mozaws still being used?

Doesn't seem to be reachable in general: https://check-host.net/check-dns?host=sentry.prod.mozaws.net — so it's probably long offline?

[janbrasna]

2. The prod CSP includes staging/nonprod CJ affiliate host. Is there a way to have it only in some form of dev extras or other env setting to not allow it on prod? Or is it actually intended to be able to test nonprod CJms from prod bedrock?

There seems to be the logic for dev vs. prod already prepared:

bedrock/bedrock/settings/base.py

Line 965 in 11024c6

CJMS_AFFILIATE_ENDPOINT = "https://stage.cjms.nonprod.cloudops.mozgcp.net/aic" if DEV else "https://cjms.services.mozilla.com/aic"

that can be used in CSP similar to some FXA_ENDPOINT occurrences.

If it has a trailing slash, it's allowed as a prefix/wildcard; here the /aic doesn't have a trailing slash so it would only allow the /aic endpoint.