Update Content Security Policy (#8858)

* remove items that are not approved/in use * add security as codeowners to csp * remove youtube
getsentry · Jan 11, 2024 · f8444ff · f8444ff · vercel · Jan 11, 2024
1 parent 89246be
commit f8444ff
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 27 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -28,7 +28,6 @@
 /src/docs/product/discover-queries/ @getsentry/visibility
 /src/docs/product/performance/ @getsentry/visibility
 
-/src/docs/product/cli/ @kamilogorek
 /src/docs/product/cli/dif/ @getsentry/owners-native
 
 /.github/labels.yml @getsentry/open-source
@@ -45,3 +44,10 @@
 /src/wizard/javascript/replay-onboarding/               @getsentry/replay @getsentry/replay-sdk
 
 ###### End Replays #######
+
+###### Security ########
+
+# Requiring review from security team for Content-Security-Policy changes
+/vercel.json @getsentry/security
+
+###### End Security ####
diff --git a/src/components/markdown.tsx b/src/components/markdown.tsx
@@ -31,7 +31,7 @@ import {PiiFields} from './relayPiifields';
 import {SandboxLink, SandboxOnly} from './sandboxLink';
 import {SignInNote} from './signInNote';
 import {SmartLink} from './smartLink';
-import {VimeoEmbed, YouTubeEmbed} from './video';
+import {VimeoEmbed} from './video';
 
 const mdxComponents = {
   Alert,
@@ -60,7 +60,6 @@ const mdxComponents = {
   RelayMetrics,
   LambdaLayerDetail,
   VimeoEmbed,
-  YouTubeEmbed,
   SandboxLink,
   SandboxOnly,
   SignInNote,

diff --git a/src/components/video.tsx b/src/components/video.tsx
@@ -42,26 +42,3 @@ const StyledVimeoIframe = styled.iframe`
   height: 100%;
   border: 0;
 `;
-
-export function YouTubeEmbed({id, className}: Video) {
-  return (
-    <ResponsiveEmbed className={className}>
-      <StyledYouTubeIframe
-        src={`https://www.youtube-nocookie.com/embed/${id}?rel=0`}
-        frameBorder="0"
-        allowFullScreen
-        allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture"
-      />
-    </ResponsiveEmbed>
-  );
-}
-
-const StyledYouTubeIframe = styled.iframe`
-  position: absolute;
-  top: 0;
-  bottom: 0;
-  left: 0;
-  width: 100%;
-  height: 100%;
-  border: 0;
-`;
diff --git a/vercel.json b/vercel.json
@@ -17,7 +17,7 @@
         },
         {
           "key": "Content-Security-Policy",
-          "value": "upgrade-insecure-requests; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.sentry-cdn.com googleads.g.doubleclick.net m.servedby-buysellads.com www.googletagmanager.com plausible.io *.plausible.io; connect-src 'self' *.sentry.io sentry.io adservice.google.com *.algolia.net *.algolianet.com *.algolia.io plausible.io *.plausible.io reload.getsentry.net stats.g.doubleclick.net vitals.vercel-analytics.com; img-src * 'self' data: www.google.com img.youtube.com www.googletagmanager.com plausible.io *.plausible.io; style-src 'self' 'unsafe-inline'; font-src 'self' fonts.gstatic.com; frame-src demo.arcade.software player.vimeo.com; worker-src blob:; report-uri https://o1.ingest.sentry.io/api/1297620/security/?sentry_key=b3cfba5788cb4c138f855c8120f70eab"
+          "value": "upgrade-insecure-requests; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.sentry-cdn.com www.googletagmanager.com plausible.io *.plausible.io; connect-src 'self' *.sentry.io sentry.io *.algolia.net *.algolianet.com *.algolia.io plausible.io *.plausible.io reload.getsentry.net; img-src * 'self' data: www.google.com www.googletagmanager.com plausible.io *.plausible.io; style-src 'self' 'unsafe-inline'; font-src 'self' fonts.gstatic.com; frame-src demo.arcade.software player.vimeo.com; worker-src blob:; report-uri https://o1.ingest.sentry.io/api/1297620/security/?sentry_key=b3cfba5788cb4c138f855c8120f70eab"
         }
       ]
     }