Merge pull request #2955 from buildkite/csp-refresh

A few tweaks to our report-only CSP header
buildkite · Sep 4, 2024 · 5b96460 · 5b96460
2 parents f27716e + ef494ce
commit 5b96460
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -19,7 +19,7 @@
 Rails.application.config.content_security_policy do |policy|
   policy.default_src :self
   policy.font_src    :self, "https://www2.buildkiteassets.com/"
-  policy.object_src  :none, "https://beacon-v2.helpscout.net"
+  policy.object_src  "https://beacon-v2.helpscout.net"
   policy.style_src   :self, :unsafe_inline, "https://beacon-v2.helpscout.net"
 
   policy.img_src(
@@ -44,6 +44,8 @@
   policy.script_src *policy.script_src, :unsafe_eval, "http://#{ ViteRuby.config.host_with_port }" if Rails.env.development?
 
   policy.connect_src(
+    "https://www.google-analytics.com",
+
     # allow AJAX queries against our search vendor
     "https://#{ENV['ALGOLIA_APP_ID']}-dsn.algolia.net",
     "https://#{ENV['ALGOLIA_APP_ID']}-1.algolianet.com",
@@ -52,14 +54,22 @@
 
     "https://cdn.segment.com/",
     "https://api.segment.io/",
+
+    # We have Datadog Real User Monitoring enabled
+    "https://rum.browser-intake-datadoghq.com",
+
+    # For collecting feedback from customers
     "https://emojicom.io/",
+
+    # helpscout beacon sends data to two places
     "https://beacon-v2.helpscout.net",
-    "https://rum.browser-intake-datadoghq.com"
+    "https://d3hb14vkzrxvla.cloudfront.net",
   )
 
   # Allow @vite/client to hot reload changes in development
   policy.connect_src *policy.connect_src, "ws://#{ ViteRuby.config.host_with_port }" if Rails.env.development?
 
+  # For collecting feedback from customers
   policy.frame_src(
     "https://cdn.emojicom.io/"
   )