Merge pull request #924 from maxmind/jpoole/csp-upd8-august

mm-jpoole · web-flow · commit ffbfa3ab2214 · 2024-08-22T13:36:28.000-07:00
Update CSP - August 2024
diff --git a/static/_headers b/static/_headers
@@ -1,5 +1,5 @@
 /*
-  Content-Security-Policy: connect-src 'self' *.googleapis.com *.doubleclick.net https://status.maxmind.com https://www.maxmind.com https://api.hubspot.com https://forms.hscollectedforms.net https://forms.hsforms.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com; default-src 'self'; font-src 'self' fonts.gstatic.com; form-action 'self' *.paypal.com; frame-ancestors 'self'; frame-src 'self' *.paypal.com https://app.hubspot.com www.youtube.com; img-src 'self' data: https:; object-src 'none'; script-src 'self' 'report-sample' 'unsafe-inline'  https://js.hs-scripts.com https://js.hs-analytics.net https://js.hscollectedforms.net https://js.hs-banner.com https://js.usemessages.com https://www.maxmind.com *.googleapis.com www.youtube.com https://www.googleadservices.com https://www.google.com; style-src 'self' 'unsafe-inline' *.googleapis.com
+  Content-Security-Policy: connect-src 'self' *.googleapis.com *.doubleclick.net https://status.maxmind.com https://www.maxmind.com https://api.hubspot.com https://forms.hscollectedforms.net https://forms.hsforms.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com; default-src 'self'; font-src 'self' fonts.gstatic.com; form-action 'self' *.paypal.com; frame-ancestors 'self'; frame-src 'self' *.doubleclick.net *.paypal.com https://app.hubspot.com www.youtube.com; img-src 'self' data: https:; object-src 'none'; script-src 'self' 'report-sample' 'unsafe-inline'  https://js.hs-scripts.com https://js.hs-analytics.net https://js.hscollectedforms.net https://js.hs-banner.com https://js.usemessages.com https://www.maxmind.com *.googleapis.com www.youtube.com https://www.googleadservices.com https://www.google.com https://*.googletagmanager.com; style-src 'self' 'unsafe-inline' *.googleapis.com
   Feature-Policy: accelerometer 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; usb 'none'; sync-xhr 'none'
   Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), usb=(), web-share=(), xr-spatial-tracking=()
   Referrer-Policy: strict-origin-when-cross-origin
