Skip to content

Commit bdf8448

Browse files
denmettedenmette
committed
feat: refine CSP with dedicated script-src-elem allowlist
- Introduced `csp_script_src_elem_allow` for finer-grained control over script element sources. - Updated `cloudfront.tf` to use the new allowlist in CSP directives.
1 parent 323e629 commit bdf8448

1 file changed

Lines changed: 9 additions & 1 deletion

File tree

infra/cloudfront.tf

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,14 @@ locals {
1414
"https://www.googletagmanager.com",
1515
"https://www.google-analytics.com"
1616
]
17+
csp_script_src_elem_allow = [
18+
"'self'",
19+
"'unsafe-inline'",
20+
"https://casteels.dev",
21+
"https://utteranc.es",
22+
"https://www.googletagmanager.com",
23+
"https://www.google-analytics.com"
24+
]
1725
csp_style_src_allow = [
1826
"'self'",
1927
"'unsafe-inline'",
@@ -48,7 +56,7 @@ locals {
4856
csp_directives = [
4957
"default-src ${join(" ", local.csp_default_src)}",
5058
"script-src ${join(" ", local.csp_script_src_allow)}",
51-
"script-src-elem ${join(" ", local.csp_script_src_allow)}",
59+
"script-src-elem ${join(" ", local.csp_script_src_elem_allow)}",
5260
"style-src ${join(" ", local.csp_style_src_allow)}",
5361
"font-src ${join(" ", local.csp_font_src_allow)}",
5462
"img-src ${join(" ", local.csp_img_src_allow)}",

0 commit comments

Comments
 (0)