From cefcae2916590ff0b4766b5131de55946670e0a5 Mon Sep 17 00:00:00 2001 From: Kiril Kartunov Date: Wed, 24 Jan 2024 23:37:22 +0200 Subject: [PATCH 1/4] PROD-4429 CSP headers update --- src/server/index.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/server/index.js b/src/server/index.js index 765a13559..bb0478f9f 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -152,15 +152,17 @@ async function onExpressJsSetup(server) { + ' https://www.google-analytics.com' + ' https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com' + ' https://assets.ubembed.com' - + ' https://browser.sentry-cdn.com' + ' https://cdn.heapanalytics.com' + ' https://cdn.segment.com' + ' https://connect.facebook.net' + ' https://d1of0acg2orgco.cloudfront.net' + ' https://d1mwkvp2xbqfs9.cloudfront.net' + ' https://d24oibycet9bsb.cloudfront.net' - + ' https://fast.trychameleon.com' + ' https://static.zdassets.com' + + ' https://uni-nav.topcoder-dev.com' + + ' https://uni-nav.topcoder.com' + + ' https://js.hs-analytics.net' + + ' https://cdn-3.convertexperiments.com' + ' https://www.googletagmanager.com;' + " style-src 'report-sample' 'self' 'unsafe-inline'" + ` ${config.CDN.PUBLIC}` @@ -180,8 +182,8 @@ async function onExpressJsSetup(server) { + ' https://api.segment.io' + ' https://cdn.segment.com' + ' https://ekr.zdassets.com' - + ' https://fast.trychameleon.com' + ' https://stats.g.doubleclick.net' + + ' https://region1.analytics.google.com' + ' https://www.google-analytics.com;' + " font-src 'self'" + ' data:' From 37c97174671f2b3208eccae7ed0fa7e58c47a427 Mon Sep 17 00:00:00 2001 From: Kiril Kartunov Date: Wed, 24 Jan 2024 23:38:09 +0200 Subject: [PATCH 2/4] ci: on dev --- .circleci/config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 3c07d6790..d6543c982 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -358,6 +358,7 @@ workflows: branches: only: - develop + - PROD-4429 # This is alternate dev env for parallel testing # Deprecate this workflow due to beta env shutdown # https://topcoder.atlassian.net/browse/CORE-251 From 8c55a2af867c24302378023fb5768789d46024f9 Mon Sep 17 00:00:00 2001 From: Kiril Kartunov Date: Thu, 25 Jan 2024 08:58:10 +0200 Subject: [PATCH 3/4] tweak member-media and drop report-uri --- src/server/index.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/server/index.js b/src/server/index.js index bb0478f9f..03f64f1bc 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -213,10 +213,11 @@ async function onExpressJsSetup(server) { + ' https://www.googletagmanager.com' + ' https://i.ytimg.com' + ' https://images.contentful.com' + + ' https://member-media.topcoder-dev.com' + + ' https://member-media.topcoder.com' + ' https://d0.awsstatic.com/logos/;' + " manifest-src 'self';" + " media-src 'self';" - + ' report-uri https://623d4c23f90d055298b24042.endpoint.csper.io/?v=0;' + " worker-src 'self';", ); } From e9d01c1ad4e1e6753a146bbdcc15879102d90b6f Mon Sep 17 00:00:00 2001 From: Kiril Kartunov Date: Thu, 25 Jan 2024 19:58:50 +0200 Subject: [PATCH 4/4] add platform url to config --- config/default.js | 1 + 1 file changed, 1 insertion(+) diff --git a/config/default.js b/config/default.js index 88cdd1427..37cf1664c 100644 --- a/config/default.js +++ b/config/default.js @@ -478,4 +478,5 @@ module.exports = { MEMBER_SEARCH_REDIRECT_URL: 'https://talent-search.topcoder-dev.com', ACCOUNT_SETTINGS_REDIRECT_URL: 'https://account-settings.topcoder-dev.com', INNOVATION_CHALLENGES_TAG: 'Innovation Challenge', + PLATFORM_SITE_URL: 'https://platform.topcoder-dev.com', };