CSP fix: allow only trustwallet assets repo from Github

celo-org · Oct 7, 2021 · 49436ab · 49436ab
1 parent d88d257
commit 49436ab
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,7 +4,7 @@
 - [#4625](https://github.com/blockscout/blockscout/pull/4625) - Contract address page: Add implementation link to the overview of proxy contracts
 - [#4624](https://github.com/blockscout/blockscout/pull/4624) - Support HTML tags in alert message
 - [#4608](https://github.com/blockscout/blockscout/pull/4608), [#4622](https://github.com/blockscout/blockscout/pull/4622) - Block Details page: Improved style of transactions button
-- [#4596](https://github.com/blockscout/blockscout/pull/4596) - Display token icon for bridged with Mainnet tokens or identicons for other tokens
+- [#4596](https://github.com/blockscout/blockscout/pull/4596), [#4681](https://github.com/blockscout/blockscout/pull/4681), [#4693](https://github.com/blockscout/blockscout/pull/4693) - Display token icon for bridged with Mainnet tokens or identicons for other tokens
 - [#4520](https://github.com/blockscout/blockscout/pull/4520) - Add support for EIP-1559
 - [#4593](https://github.com/blockscout/blockscout/pull/4593) - Add status in `Position` pane for txs have no block
 - [#4579](https://github.com/blockscout/blockscout/pull/4579) - Write contract page: Resize inputs; Improve multiplier selector

diff --git a/apps/block_scout_web/assets/static/manifest.webmanifest b/apps/block_scout_web/assets/static/manifest.webmanifest
@@ -15,7 +15,5 @@
     ],
     "theme_color": "#ffffff",
     "background_color": "#ffffff",
-    "display": "standalone",
-    "permissions": [ "https://raw.githubusercontent.com/" ],
-    "content_security_policy": "connect-src 'self' raw.githubusercontent.com;"
+    "display": "standalone"
 }
diff --git a/apps/block_scout_web/lib/block_scout_web/csp_header.ex b/apps/block_scout_web/lib/block_scout_web/csp_header.ex
@@ -10,11 +10,8 @@ defmodule BlockScoutWeb.CSPHeader do
 
   def call(conn, _opts) do
     Controller.put_secure_browser_headers(conn, %{
-      "content-security-policy" =>
-        "\
-        connect-src 'self' 'unsafe-inline' 'unsafe-eval' 'unsafe-hashes' https://cdn.segment.com https://api.segment.io https://request-global.czilladx.com/ https://raw.githubusercontent.com/ #{
-          websocket_endpoints(conn)
-        }; \
+      "content-security-policy" => "\
+        connect-src 'self' #{websocket_endpoints(conn)} https://request-global.czilladx.com/ https://raw.githubusercontent.com/trustwallet/assets/;\
         default-src 'self';\
         script-src 'self' 'unsafe-inline' 'unsafe-eval' 'unsafe-hashes' https://cdn.segment.com https://api.segment.io https://coinzillatag.com;\
         style-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com;\