Skip to content

Commit 33e7854

Browse files
billoneilbilloneil
committed
Allow all images in CSP for now since we hotlink
1 parent f6cbfeb commit 33e7854

File tree

1 file changed

+5
-3
lines changed

1 file changed

+5
-3
lines changed

stubbornjava-webapp/src/main/java/com/stubbornjava/webapp/StubbornJavaWebApp.java

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -36,9 +36,11 @@ private static HttpHandler exceptionHandler(HttpHandler next) {
3636
private static HttpHandler contentSecurityPolicy(HttpHandler delegate) {
3737
return new ContentSecurityPolicyHandler.Builder()
3838
.defaultSrc(ContentSecurityPolicy.SELF)
39-
.scriptSrc("'self'", "https://www.google-analytics.com")
40-
.imgSrc("'self'", "https://www.google-analytics.com")
41-
.connectSrc("'self'", "https://www.google-analytics.com")
39+
.scriptSrc(ContentSecurityPolicy.SELF.getValue(), "https://www.google-analytics.com")
40+
// Drop the wildcard when we host our own images.
41+
.imgSrc(ContentSecurityPolicy.SELF.getValue(), "https://www.google-analytics.com", "*")
42+
.connectSrc(ContentSecurityPolicy.SELF.getValue(), "https://www.google-analytics.com")
43+
.fontSrc(ContentSecurityPolicy.SELF.getValue(), "data:")
4244
.styleSrc(ContentSecurityPolicy.SELF.getValue(), ContentSecurityPolicy.UNSAFE_INLINE.getValue())
4345
.build(delegate);
4446
}

0 commit comments

Comments
 (0)