From ae94c489b6e7c2649eadf17a6c153d9c877070b2 Mon Sep 17 00:00:00 2001
From: Jan Brasna <1784648+janbrasna@users.noreply.github.com>
Date: Mon, 29 Jul 2024 13:07:59 +0200
Subject: [PATCH 1/3] Update CSP img-src

---
 bedrock/settings/__init__.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/bedrock/settings/__init__.py b/bedrock/settings/__init__.py
index 613ce2076f1..7c1e3ee795c 100644
--- a/bedrock/settings/__init__.py
+++ b/bedrock/settings/__init__.py
@@ -175,7 +175,6 @@
     ]
     _csp_img_src = [
         "data:",
-        "mozilla.org",
         "www.googletagmanager.com",
         "www.google-analytics.com",
         "creativecommons.org",

From 43cc7021339673cc2c05a3ed0b4606c7562d3db1 Mon Sep 17 00:00:00 2001
From: Jan Brasna <1784648+janbrasna@users.noreply.github.com>
Date: Mon, 29 Jul 2024 14:08:35 +0200
Subject: [PATCH 2/3] Remove duplicate Pocket CSP

---
 bedrock/settings/__init__.py | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/bedrock/settings/__init__.py b/bedrock/settings/__init__.py
index 7c1e3ee795c..cb7352a75fc 100644
--- a/bedrock/settings/__init__.py
+++ b/bedrock/settings/__init__.py
@@ -130,14 +130,12 @@
     _csp_script_src = [
         # TODO fix use of OptanonWrapper() so that we don't need this
         csp.constants.UNSAFE_INLINE,
-        # TODO onetrust cookie consent breaks
-        # blocked without unsafe-eval. Find a way to remove that.
-        "www.mozilla.org",
+        # TODO onetrust cookie consent needs this, explore ways of fixing
         csp.constants.UNSAFE_EVAL,
         "www.googletagmanager.com",
         "www.google-analytics.com",
         "cdn.cookielaw.org",
-        "assets.getpocket.com",  # allow Pocket Snowplow analytics
+        "www.mozilla.org",
     ]
     _csp_style_src = [
         csp.constants.UNSAFE_INLINE,
@@ -154,7 +152,6 @@
         "o1069899.ingest.sentry.io",
         "cdn.cookielaw.org",
         "privacyportal.onetrust.com",
-        "getpocket.com",  # Pocket Snowplow
         "geolocation.onetrust.com",
     ]
     _csp_connect_extra_for_dev = [

From 1029f7c9e8737dff8c9821beb69e2c34835ffe54 Mon Sep 17 00:00:00 2001
From: Jan Brasna <1784648+janbrasna@users.noreply.github.com>
Date: Mon, 29 Jul 2024 14:11:10 +0200
Subject: [PATCH 3/3] Add object-src none to CSP report-only for test

---
 bedrock/settings/__init__.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bedrock/settings/__init__.py b/bedrock/settings/__init__.py
index cb7352a75fc..44a01299b52 100644
--- a/bedrock/settings/__init__.py
+++ b/bedrock/settings/__init__.py
@@ -265,6 +265,7 @@
     CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["report-uri"] = csp_report_uri
     # CSP directive updates we're testing that we hope to move to the enforced policy.
     CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["frame-ancestors"] = [csp.constants.NONE]
+    CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["object-src"] = [csp.constants.NONE]
     CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["style-src"].remove(csp.constants.UNSAFE_INLINE)