I think that .env.example needs quotes around CSP strings

Question

I think that .env.example needs quotes around CSP strings

Closed this issue 6 years ago · 2 comments

this works for me:

CSP_DEFAULT="'self',auth.ezira.src"
CSP_SCRIPT_SRC="'self',auth.ezira.src,'unsafe-eval','unsafe-inline'"
CSP_CONNECT_SRC="'self',auth.ezira.src,*.steemit.com"
CSP_FRAME_SRC="'self',auth.ezira.src"
CSP_STYLE_SRC="'self',auth.ezira.src,'unsafe-inline'"
CSP_IMG_SRC="'self',auth.ezira.src,steemitimages.com,steemit-production-imageproxy-thumbnail.s3.amazonaws.com,data:,data:font"
CSP_FONT_SRC="'self',auth.ezira.src"

this doesn't

CSP_DEFAULT='self',auth.ezira.src
CSP_SCRIPT_SRC='self',auth.ezira.src,'unsafe-eval','unsafe-inline'
CSP_CONNECT_SRC='self',auth.ezira.src,*.steemit.com
CSP_FRAME_SRC='self',auth.ezira.src
CSP_STYLE_SRC='self',auth.ezira.src,'unsafe-inline'
CSP_IMG_SRC='self',auth.ezira.src,steemitimages.com,steemit-production-imageproxy-thumbnail.s3.amazonaws.com,data:,data:font
CSP_FONT_SRC='self',auth.ezira.src

I get this error using the 2nd option, which is the format the .env.example has

The source list for Content Security Policy directive 'default-src' contains an invalid source: 'self''. It will be ignored.
9The source list for Content Security Policy directive 'script-src' contains an invalid source: 'self''. It will be ignored.
9The source list for Content Security Policy directive 'script-src' contains an invalid source: ''unsafe-inline'. It will be ignored.
9The source list for Content Security Policy directive 'connect-src' contains an invalid source: 'self''. It will be ignored.
9The source list for Content Security Policy directive 'frame-src' contains an invalid source: 'self''. It will be ignored.
9The source list for Content Security Policy directive 'style-src' contains an invalid source: 'self''. It will be ignored.
9The source list for Content Security Policy directive 'style-src' contains an invalid source: ''unsafe-inline'. It will be ignored.
9The source list for Content Security Policy directive 'img-src' contains an invalid source: 'self''. It will be ignored.
9The source list for Content Security Policy directive 'img-src' contains an invalid source: '<URL>'. It will be ignored.
9The source list for Content Security Policy directive 'font-src' contains an invalid source: 'self''. It will be ignored.

Answer 1 · 2018-06-26T07:59:15.000Z

also CSP_FONT_SRC needs data: too

Answer 2 · 2018-06-26T08:34:21.000Z

So I don't need any of the *.ezira.* bits but I do still need to wrap 'self' in "'self'" to get it working