Merge pull request #62 from cardano-foundation/staging

Merge PR #61 into main
cardano-foundation · May 29, 2024 · 5c3e7ab · 5c3e7ab
2 parents 323f592 + c50b92b
commit 5c3e7ab
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/netlify.toml b/netlify.toml
@@ -8,8 +8,8 @@
     X-Frame-Options = "DENY"
     # Activates the browser's built-in cross-site scripting (XSS) filter and blocks responses if an attack is detected.
     X-XSS-Protection = "1; mode=block"
-    # Ensures that only trusted content is executed and styled.
-    Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' https://cardano.org https://new-cardano-org-staging.netlify.app https://www.googletagmanager.com https://js.hsforms.net https://forms.hsforms.com https://www.google.com https://www.gstatic.com; img-src 'self' https://cardano.org https://new-cardano-org-staging.netlify.app https://forms.hsforms.com https://forms-eu1.hsforms.com data: https://*.ytimg.com; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com https://www.google.com https://forms-eu1.hsforms.com; media-src 'self' https://www.youtube.com; connect-src 'self' https://hubspot-forms-static-embed.s3.amazonaws.com https://forms.hsforms.com https://forms-eu1.hsforms.com"
+    # Ensures that only trusted content is executed and styled. TODO: Consider using nonces or hashes for inline scripts instead of unsafe-inline.
+    Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' https://cardano.org https://new-cardano-org-staging.netlify.app https://www.googletagmanager.com https://js.hsforms.net https://forms.hsforms.com https://www.google.com https://www.gstatic.com; img-src 'self' https://cardano.org https://new-cardano-org-staging.netlify.app https://forms.hsforms.com https://forms-eu1.hsforms.com data: https://*.ytimg.com; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com https://www.google.com https://*.hsforms.com; media-src 'self' https://www.youtube.com; connect-src 'self' https://hubspot-forms-static-embed.s3.amazonaws.com https://*.hsforms.com https://*.google-analytics.com" 
     # Enforces secure connections via HTTPS, protecting against certain types of man-in-the-middle attacks.
     Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
     # Controls information provided as the HTTP Referer header when navigating from your site, enhancing privacy and security.
@@ -22,6 +22,6 @@
   for = "/archive/static.iohk.io/adasale/*"
   [headers.values]
     X-Frame-Options = "SAMEORIGIN"
-    # This path has it's own content security policy
+    # This path has its own content security policy
     Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' https://cardano.org https://new-cardano-org-staging.netlify.app https://www.googletagmanager.com https://maxcdn.bootstrapcdn.com; img-src 'self' https://cardano.org https://new-cardano-org-staging.netlify.app data:; style-src 'self' 'unsafe-inline'; font-src 'self' https://maxcdn.bootstrapcdn.com"