From 49436ab5cc4148e59c9aa5f432e0d4c4da464428 Mon Sep 17 00:00:00 2001 From: Viktor Baranov Date: Mon, 27 Sep 2021 17:36:36 +0300 Subject: [PATCH] CSP fix: allow only trustwallet assets repo from Github --- CHANGELOG.md | 2 +- apps/block_scout_web/assets/static/manifest.webmanifest | 4 +--- apps/block_scout_web/lib/block_scout_web/csp_header.ex | 7 ++----- 3 files changed, 4 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 30b3f426fcfd..e4de0c5da540 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ - [#4625](https://github.com/blockscout/blockscout/pull/4625) - Contract address page: Add implementation link to the overview of proxy contracts - [#4624](https://github.com/blockscout/blockscout/pull/4624) - Support HTML tags in alert message - [#4608](https://github.com/blockscout/blockscout/pull/4608), [#4622](https://github.com/blockscout/blockscout/pull/4622) - Block Details page: Improved style of transactions button -- [#4596](https://github.com/blockscout/blockscout/pull/4596) - Display token icon for bridged with Mainnet tokens or identicons for other tokens +- [#4596](https://github.com/blockscout/blockscout/pull/4596), [#4681](https://github.com/blockscout/blockscout/pull/4681), [#4693](https://github.com/blockscout/blockscout/pull/4693) - Display token icon for bridged with Mainnet tokens or identicons for other tokens - [#4520](https://github.com/blockscout/blockscout/pull/4520) - Add support for EIP-1559 - [#4593](https://github.com/blockscout/blockscout/pull/4593) - Add status in `Position` pane for txs have no block - [#4579](https://github.com/blockscout/blockscout/pull/4579) - Write contract page: Resize inputs; Improve multiplier selector diff --git a/apps/block_scout_web/assets/static/manifest.webmanifest b/apps/block_scout_web/assets/static/manifest.webmanifest index 5686f7e4d7ac..b20abb7cbb29 100644 --- a/apps/block_scout_web/assets/static/manifest.webmanifest +++ b/apps/block_scout_web/assets/static/manifest.webmanifest @@ -15,7 +15,5 @@ ], "theme_color": "#ffffff", "background_color": "#ffffff", - "display": "standalone", - "permissions": [ "https://raw.githubusercontent.com/" ], - "content_security_policy": "connect-src 'self' raw.githubusercontent.com;" + "display": "standalone" } diff --git a/apps/block_scout_web/lib/block_scout_web/csp_header.ex b/apps/block_scout_web/lib/block_scout_web/csp_header.ex index 2f704768ca68..f393323efa4e 100644 --- a/apps/block_scout_web/lib/block_scout_web/csp_header.ex +++ b/apps/block_scout_web/lib/block_scout_web/csp_header.ex @@ -10,11 +10,8 @@ defmodule BlockScoutWeb.CSPHeader do def call(conn, _opts) do Controller.put_secure_browser_headers(conn, %{ - "content-security-policy" => - "\ - connect-src 'self' 'unsafe-inline' 'unsafe-eval' 'unsafe-hashes' https://cdn.segment.com https://api.segment.io https://request-global.czilladx.com/ https://raw.githubusercontent.com/ #{ - websocket_endpoints(conn) - }; \ + "content-security-policy" => "\ + connect-src 'self' #{websocket_endpoints(conn)} https://request-global.czilladx.com/ https://raw.githubusercontent.com/trustwallet/assets/;\ default-src 'self';\ script-src 'self' 'unsafe-inline' 'unsafe-eval' 'unsafe-hashes' https://cdn.segment.com https://api.segment.io https://coinzillatag.com;\ style-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com;\