fix: update Content Security Policy to include additional domains for connect-src and script-src

markhazleton · markhazleton · commit 7c61fdb55d9d · 2026-04-14T08:34:57.000-05:00
diff --git a/.documentation/SECURITY.md b/.documentation/SECURITY.md
@@ -37,19 +37,20 @@ The application implements CSP headers to prevent XSS attacks and unauthorized r
 ```
 Content-Security-Policy:
   default-src 'self';
-  connect-src 'self' https://markhazleton.com https://*.markhazleton.com https://cdnjs.cloudflare.com https://v2.jokeapi.dev https://api.openweathermap.org wss://webspark.markhazleton.com ws://localhost:* http://localhost:*;
-  script-src 'self' 'unsafe-inline' 'unsafe-eval';
+  connect-src 'self' https://markhazleton.com https://*.markhazleton.com https://cdnjs.cloudflare.com https://v2.jokeapi.dev https://api.openweathermap.org wss://webspark.markhazleton.com ws://localhost:* http://localhost:* https://cloudflareinsights.com https://stats.g.doubleclick.net https://www.google.com;
+  script-src 'self' 'unsafe-inline' 'unsafe-eval' https://static.cloudflareinsights.com;
   style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com;
   img-src 'self' data: https: http: blob:;
   font-src 'self' data: https:;
   media-src 'self' https: http:;
-  frame-src 'none';
+  frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com;
   worker-src 'self' blob:;
 ```
 
 **Key Points**:
 
 - `connect-src` includes wildcard for markhazleton.com subdomains to support service worker fetches
+- `connect-src` also allows the Google analytics endpoints used by Cloudflare Zaraz
 - `img-src`, `font-src`, `media-src` use protocol-level wildcards for flexibility with external resources
 - Service workers (`worker-src`) can load from same origin and blob URLs
 
diff --git a/staticwebapp.config.json b/staticwebapp.config.json
@@ -60,7 +60,7 @@
     "X-Content-Type-Options": "nosniff",
     "X-Frame-Options": "DENY",
     "X-XSS-Protection": "1; mode=block",
-    "Content-Security-Policy": "default-src 'self'; connect-src 'self' https://markhazleton.com https://*.markhazleton.com https://cdnjs.cloudflare.com https://v2.jokeapi.dev https://api.openweathermap.org wss://webspark.markhazleton.com ws://localhost:* http://localhost:* https://cloudflareinsights.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: https: http: blob:; font-src 'self' data: https:; media-src 'self' https: http:; frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com; worker-src 'self' blob:;",
+    "Content-Security-Policy": "default-src 'self'; connect-src 'self' https://markhazleton.com https://*.markhazleton.com https://cdnjs.cloudflare.com https://v2.jokeapi.dev https://api.openweathermap.org wss://webspark.markhazleton.com ws://localhost:* http://localhost:* https://cloudflareinsights.com https://stats.g.doubleclick.net https://www.google.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: https: http: blob:; font-src 'self' data: https:; media-src 'self' https: http:; frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com; worker-src 'self' blob:;",
     "_CSP_WARNING": "DO NOT TIGHTEN THIS CSP! Site fetches all images/data from markhazleton.com. See .github/copilot-instructions.md @csp rule before changing.",
     "Access-Control-Allow-Origin": "*",
     "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
diff --git a/vite.config.ts b/vite.config.ts
@@ -90,7 +90,7 @@ export default defineConfig({
       // DO NOT TIGHTEN - Site pulls all images/data from markhazleton.com
       // See .github/copilot-instructions.md @csp rule for details
       "Content-Security-Policy":
-        "default-src 'self'; connect-src 'self' https://markhazleton.com https://*.markhazleton.com https://cdnjs.cloudflare.com https://v2.jokeapi.dev https://api.openweathermap.org wss://webspark.markhazleton.com ws://localhost:* http://localhost:* https://cloudflareinsights.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: https: http: blob:; font-src 'self' data: https:; media-src 'self' https: http:; frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com; worker-src 'self' blob:;",
+        "default-src 'self'; connect-src 'self' https://markhazleton.com https://*.markhazleton.com https://cdnjs.cloudflare.com https://v2.jokeapi.dev https://api.openweathermap.org wss://webspark.markhazleton.com ws://localhost:* http://localhost:* https://cloudflareinsights.com https://stats.g.doubleclick.net https://www.google.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: https: http: blob:; font-src 'self' data: https:; media-src 'self' https: http:; frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com; worker-src 'self' blob:;",
     },
     proxy: {
       "/rss-feed": {
