From f8444ff3e31accc9f553fdfa4e52830099b679e2 Mon Sep 17 00:00:00 2001
From: Jeffrey Hung <17494876+Jeffreyhung@users.noreply.github.com>
Date: Thu, 11 Jan 2024 10:11:56 -0800
Subject: [PATCH] Update Content Security Policy (#8858)

* remove items that are not approved/in use

* add security as codeowners to csp

* remove youtube
---
 .github/CODEOWNERS          |  8 +++++++-
 src/components/markdown.tsx |  3 +--
 src/components/video.tsx    | 23 -----------------------
 vercel.json                 |  2 +-
 4 files changed, 9 insertions(+), 27 deletions(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 83de8e4734009..2276fefb8c6ec 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -28,7 +28,6 @@
 /src/docs/product/discover-queries/ @getsentry/visibility
 /src/docs/product/performance/ @getsentry/visibility
 
-/src/docs/product/cli/ @kamilogorek
 /src/docs/product/cli/dif/ @getsentry/owners-native
 
 /.github/labels.yml @getsentry/open-source
@@ -45,3 +44,10 @@
 /src/wizard/javascript/replay-onboarding/               @getsentry/replay @getsentry/replay-sdk
 
 ###### End Replays #######
+
+###### Security ########
+
+# Requiring review from security team for Content-Security-Policy changes
+/vercel.json @getsentry/security
+
+###### End Security ####
\ No newline at end of file
diff --git a/src/components/markdown.tsx b/src/components/markdown.tsx
index 9dcdcc4dc3f86..130748a43df0e 100644
--- a/src/components/markdown.tsx
+++ b/src/components/markdown.tsx
@@ -31,7 +31,7 @@ import {PiiFields} from './relayPiifields';
 import {SandboxLink, SandboxOnly} from './sandboxLink';
 import {SignInNote} from './signInNote';
 import {SmartLink} from './smartLink';
-import {VimeoEmbed, YouTubeEmbed} from './video';
+import {VimeoEmbed} from './video';
 
 const mdxComponents = {
   Alert,
@@ -60,7 +60,6 @@ const mdxComponents = {
   RelayMetrics,
   LambdaLayerDetail,
   VimeoEmbed,
-  YouTubeEmbed,
   SandboxLink,
   SandboxOnly,
   SignInNote,
diff --git a/src/components/video.tsx b/src/components/video.tsx
index 97ac3cc238298..c2c550e052609 100644
--- a/src/components/video.tsx
+++ b/src/components/video.tsx
@@ -42,26 +42,3 @@ const StyledVimeoIframe = styled.iframe`
   height: 100%;
   border: 0;
 `;
-
-export function YouTubeEmbed({id, className}: Video) {
-  return (
-    <ResponsiveEmbed className={className}>
-      <StyledYouTubeIframe
-        src={`https://www.youtube-nocookie.com/embed/${id}?rel=0`}
-        frameBorder="0"
-        allowFullScreen
-        allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture"
-      />
-    </ResponsiveEmbed>
-  );
-}
-
-const StyledYouTubeIframe = styled.iframe`
-  position: absolute;
-  top: 0;
-  bottom: 0;
-  left: 0;
-  width: 100%;
-  height: 100%;
-  border: 0;
-`;
diff --git a/vercel.json b/vercel.json
index 86078a4a8b784..aa48ef6e7f5f2 100644
--- a/vercel.json
+++ b/vercel.json
@@ -17,7 +17,7 @@
         },
         {
           "key": "Content-Security-Policy",
-          "value": "upgrade-insecure-requests; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.sentry-cdn.com googleads.g.doubleclick.net m.servedby-buysellads.com www.googletagmanager.com plausible.io *.plausible.io; connect-src 'self' *.sentry.io sentry.io adservice.google.com *.algolia.net *.algolianet.com *.algolia.io plausible.io *.plausible.io reload.getsentry.net stats.g.doubleclick.net vitals.vercel-analytics.com; img-src * 'self' data: www.google.com img.youtube.com www.googletagmanager.com plausible.io *.plausible.io; style-src 'self' 'unsafe-inline'; font-src 'self' fonts.gstatic.com; frame-src demo.arcade.software player.vimeo.com; worker-src blob:; report-uri https://o1.ingest.sentry.io/api/1297620/security/?sentry_key=b3cfba5788cb4c138f855c8120f70eab"
+          "value": "upgrade-insecure-requests; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.sentry-cdn.com www.googletagmanager.com plausible.io *.plausible.io; connect-src 'self' *.sentry.io sentry.io *.algolia.net *.algolianet.com *.algolia.io plausible.io *.plausible.io reload.getsentry.net; img-src * 'self' data: www.google.com www.googletagmanager.com plausible.io *.plausible.io; style-src 'self' 'unsafe-inline'; font-src 'self' fonts.gstatic.com; frame-src demo.arcade.software player.vimeo.com; worker-src blob:; report-uri https://o1.ingest.sentry.io/api/1297620/security/?sentry_key=b3cfba5788cb4c138f855c8120f70eab"
         }
       ]
     }