From 92783292dfb5a9a8acaf2bab1c13aec8b83ac835 Mon Sep 17 00:00:00 2001 From: lazysoundsystem Date: Thu, 24 Oct 2024 18:18:05 +0200 Subject: [PATCH] chore: disallow data: for csp Refs: OPS-10754 --- config/seckit.settings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/seckit.settings.yml b/config/seckit.settings.yml index a0cd1f7..647ee61 100644 --- a/config/seckit.settings.yml +++ b/config/seckit.settings.yml @@ -11,12 +11,12 @@ seckit_xss: script-src: "'self' 'unsafe-inline' fonts.googleapis.com www.gstatic.com https://*.google.com https://*.googletagmanager.com *.google-analytics.com https://tagmanager.google.com" object-src: "'none'" style-src: "'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com fonts.googleapis.com" - img-src: "'self' data: https://*.google-analytics.com https://*.googletagmanager.com gstatic.com https://www.google.com https://google.com" + img-src: "'self' https://*.google-analytics.com https://*.googletagmanager.com gstatic.com https://www.google.com https://google.com" media-src: "'none'" frame-src: "'self' https://www.googletagmanager.com *.un.org https://cdnapisec.kaltura.com" frame-ancestors: "'self'" child-src: "'self'" - font-src: "'self' data: fonts.gstatic.com" + font-src: "'self' fonts.gstatic.com" connect-src: "'self' https://*.google-analytics.com https://analytics.google.com https://*.analytics.google.com https://*.googletagmanager.com" report-uri: /report-csp-violation upgrade-req: false