From 4c6f30d179b2a0f74d9d5c8703f3087aade05598 Mon Sep 17 00:00:00 2001
From: Alexander Tarasov <alex.tarasov@sentry.io>
Date: Tue, 11 Jul 2023 23:05:17 +0200
Subject: [PATCH] Enforce Content Security Policy (#7322)

* enforce Content Security Policy

* add missing `frame-src player.vimeo.com`

* CSP: remove `*.google-analytics.com` since we removed GA; add `img.youtube.com` to allow showing YouTube thumbnails at least

* remove more google analytics
---
 vercel.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/vercel.json b/vercel.json
index aea9aa221ca43..f015fa4a8bf19 100644
--- a/vercel.json
+++ b/vercel.json
@@ -16,8 +16,8 @@
           "value": "1; mode=block"
         },
         {
-          "key": "Content-Security-Policy-Report-Only",
-          "value": "upgrade-insecure-requests; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.sentry-cdn.com googleads.g.doubleclick.net m.servedby-buysellads.com www.googletagmanager.com www.google-analytics.com plausible.io *.plausible.io; connect-src 'self' *.sentry.io sentry.io adservice.google.com *.algolia.net *.algolianet.com *.algolia.io *.google-analytics.com plausible.io *.plausible.io analytics.google.com region1.analytics.google.com reload.getsentry.net stats.g.doubleclick.net vitals.vercel-analytics.com; img-src * 'self' data: www.google.com www.google-analytics.com www.googletagmanager.com plausible.io *.plausible.io; style-src 'self' 'unsafe-inline'; font-src 'self' fonts.gstatic.com; worker-src blob:; report-uri https://sentry.io/api/1297620/security/?sentry_key=b3cfba5788cb4c138f855c8120f70eab"
+          "key": "Content-Security-Policy",
+          "value": "upgrade-insecure-requests; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.sentry-cdn.com googleads.g.doubleclick.net m.servedby-buysellads.com www.googletagmanager.com plausible.io *.plausible.io; connect-src 'self' *.sentry.io sentry.io adservice.google.com *.algolia.net *.algolianet.com *.algolia.io plausible.io *.plausible.io reload.getsentry.net stats.g.doubleclick.net vitals.vercel-analytics.com; img-src * 'self' data: www.google.com img.youtube.com www.googletagmanager.com plausible.io *.plausible.io; style-src 'self' 'unsafe-inline'; font-src 'self' fonts.gstatic.com; frame-src player.vimeo.com; worker-src blob:; report-uri https://o1.ingest.sentry.io/api/1297620/security/?sentry_key=b3cfba5788cb4c138f855c8120f70eab"
         }
       ]
     }