From f92570c0d39c16adec6ef6ccbef32dd0585e00f3 Mon Sep 17 00:00:00 2001
From: Dmitry Verkhoturov <paskal.07@gmail.com>
Date: Tue, 9 Jan 2024 00:09:07 +0000
Subject: [PATCH] fix CSP report-to header

---
 config/nginx/security_headers.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/nginx/security_headers.conf b/config/nginx/security_headers.conf
index 4b7371c..f10ca34 100644
--- a/config/nginx/security_headers.conf
+++ b/config/nginx/security_headers.conf
@@ -17,4 +17,5 @@ add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; prelo
 add_header Referrer-Policy same-origin;
 
 # CSP header, built with https://addons.mozilla.org/en/firefox/addon/laboratory-by-mozilla/
-add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://*.clickfraud.ru https://*.google.com https://*.google.ru https://analytics.bitrix.info https://api.clickfraud.dev https://fs-group.bitrix24.ru https://mc.yandex.com/ https://mc.yandex.md/ https://mc.yandex.ru/ https://stats.g.doubleclick.net; font-src 'self' data: https://fonts.bitrix24.ru https://yastatic.net https://dev.cdn-favor-group.ru https://static.cdn-favor-group.ru; frame-src 'self' https://yandex.ru https://mc.yandex.ru https://www.google.com https://www.youtube.com/embed/ https://www.1tv.ru/embed/ https://static.1tv.ru/eump/embeds/; img-src 'self' data: blob: https://*.google.ru https://www.googletagmanager.com https://*.yandex.com https://*.yandex.com https://*.yandex.net https://*.yandex.ru https://counter.yadro.ru https://dev.cdn-favor-group.ru https://static.cdn-favor-group.ru; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.clickfraud.ru https://cdn-ru.bitrix24.ru https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://core-renderer-tiles.maps.yandex.net https://dct.mango-office.ru https://enterprise.api-maps.yandex.ru/ https://fs-group.bitrix24.ru/bitrix/js/crm/site/form/dist/ https://mc.yandex.ru/metrika/tag.js https://widgets.mango-office.ru/widgets/ https://www.google.com/recaptcha/ https://www.googletagmanager.com/gtm.js https://www.googletagmanager.com/gtag/js https://www.gstatic.com/recaptcha/ https://dev.cdn-favor-group.ru https://static.cdn-favor-group.ru https://yastatic.net/share2/share.js; style-src 'self' 'unsafe-inline' https://fonts.bitrix24.ru/css https://fs-group.bitrix24.ru/bitrix/js/crm/site/form/dist/ https://dev.cdn-favor-group.ru https://static.cdn-favor-group.ru; manifest-src 'self'; media-src 'none'; object-src 'none'; child-src https://www.google.com https://yandex.ru; worker-src 'none'; frame-ancestors 'self'; form-action 'self'; base-uri 'none'; script-src-attr 'unsafe-inline'; style-src-attr 'unsafe-inline'; report-uri https://o4506532003840000.ingest.sentry.io/api/4506532009738240/security/?sentry_key=ef58566724eba7c9be0cf1a7fa561953; report-to {\"group\":\"default\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"https://o4506532003840000.ingest.sentry.io/api/4506532009738240/security/?sentry_key=ef58566724eba7c9be0cf1a7fa561953\"}],\"include_subdomains\":true}" always;
+add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://stat1.clickfraud.ru/matomo.php https://rcv3.clickfraud.ru/calc13.php https://*.google.com https://*.google.ru https://analytics.bitrix.info https://api.clickfraud.dev https://fs-group.bitrix24.ru https://mc.yandex.com/ https://mc.yandex.md/ https://mc.yandex.ru/ https://sovetnik.market.yandex.ru/ab-front https://stats.g.doubleclick.net; font-src 'self' data: https://fonts.bitrix24.ru https://yastatic.net https://dev.cdn-favor-group.ru https://static.cdn-favor-group.ru; frame-src 'self' https://yandex.ru https://mc.yandex.ru https://www.google.com https://www.youtube.com/embed/ https://www.1tv.ru/embed/ https://static.1tv.ru/eump/embeds/; img-src 'self' data: blob: https://*.google.ru https://www.googletagmanager.com https://*.yandex.com https://*.yandex.net https://*.yandex.ru https://counter.yadro.ru https://dev.cdn-favor-group.ru https://static.cdn-favor-group.ru https://favor-group.ru/bitrix/spread.php; script-src 'self' 'report-sample' 'unsafe-inline' 'unsafe-eval' https://*.clickfraud.ru https://cdn-ru.bitrix24.ru https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://core-renderer-tiles.maps.yandex.net https://dct.mango-office.ru https://enterprise.api-maps.yandex.ru/ https://fs-group.bitrix24.ru/bitrix/js/crm/site/form/dist/ https://mc.yandex.ru/metrika/tag.js https://mc.yandex.ru/watch/ https://widgets.mango-office.ru/widgets/ https://www.google.com/recaptcha/ https://www.googletagmanager.com/gtm.js https://www.googletagmanager.com/gtag/js https://www.gstatic.com/recaptcha/ https://dev.cdn-favor-group.ru https://static.cdn-favor-group.ru https://yastatic.net/share2/share.js https://yandex.ru https://mc.yandex.com/watch/; style-src 'self' 'report-sample' 'unsafe-inline' https://fonts.bitrix24.ru/css https://fs-group.bitrix24.ru/bitrix/js/crm/site/form/dist/ https://dev.cdn-favor-group.ru https://static.cdn-favor-group.ru; manifest-src 'self'; media-src 'none'; object-src 'none'; child-src https://www.google.com https://yandex.ru; worker-src 'none'; frame-ancestors 'self'; form-action 'self'; base-uri 'none'; script-src-attr 'unsafe-inline'; style-src-attr 'unsafe-inline'; report-uri https://o4506532003840000.ingest.sentry.io/api/4506532009738240/security/?sentry_key=ef58566724eba7c9be0cf1a7fa561953; report-to default" always;
+add_header Report-To '{\"group\":\"default\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"https://o4506532003840000.ingest.sentry.io/api/4506532009738240/security/?sentry_key=ef58566724eba7c9be0cf1a7fa561953\"}],\"include_subdomains\":true}';