Merge pull request #286 from gouravmore/all-1.4.0

Issue #235359 fix: Missing Content Security Policy for learner ai app
Sunbird-ALL · Feb 25, 2025 · 5619a77 · 5619a77
2 parents 8b05e29 + 3bbc047
commit 5619a77
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/public/index.html b/public/index.html
@@ -12,6 +12,7 @@
       name="description"
       content="Base React App structure for Devigital Systems Projects"
     />
+
     <!-- <link rel="apple-touch-icon" href="%PUBLIC_URL%/logo192.png" /> -->
     <link rel="manifest" href="%PUBLIC_URL%/manifest.json" />
     <link rel="preconnect" href="https://fonts.googleapis.com" />
@@ -24,6 +25,23 @@
     <script src="./js/jquery-3.7.0.min.js" defer></script>
     <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/confetti.browser.min.js"></script>
     <title>EkStep</title>
+
+    <!-- Content Security Policy -->
+    <meta http-equiv="Content-Security-Policy" content="
+      default-src 'self';
+      script-src 'self' https://cdn.jsdelivr.net/npm/[email protected]/dist/confetti.browser.min.js 'unsafe-eval';
+      style-src 'self' https://fonts.googleapis.com https://fonts.cdnfonts.com 'unsafe-inline';
+      object-src 'none';
+      base-uri 'self';
+      connect-src 'self' *.theall.ai;
+      font-src 'self' https://fonts.googleapis.com https://fonts.cdnfonts.com https://fonts.gstatic.com;
+      frame-src 'self';
+      img-src 'self' https://images.squarespace-cdn.com;
+      manifest-src 'self';
+      media-src 'self';
+      worker-src 'none';
+    " />
+
   </head>
   <body>
     <div id="root" />