feat: nginx.conf updated with url sources based on cfpb analytics whi…

…telist (#818) closes #817 ## Changes - feat: nginx.conf updated with url sources based on cfpb analytics whitelist ## How to test this PR 1. Test the deployment for google analytics handling
cfpb · Aug 1, 2024 · f35e303 · f35e303
1 parent 6d1546a
commit f35e303
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -43,7 +43,14 @@ http {
   sub_filter nonce-placeholder $request_id;
 
   # CSP
-  add_header Content-Security-Policy "default-src 'self' blob:; script-src 'self' 'nonce-$request_id' blob: data: ${cfpb_domains} https://dap.digitalgov.gov https://tagmanager.google.com https://www.googletagmanager.com https://www.google-analytics.com https://www.consumerfinance.gov https://cdn.mouseflow.com; img-src 'self' blob: data: https://www.google-analytics.com https://raw.githubusercontent.com; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; frame-src 'self' https://www.youtube.com/ https://ffiec.cfpb.gov/; connect-src 'self' ${cfpb_domains} https://www.consumerfinance.gov https://raw.githubusercontent.com https://ffiec-api.cfpb.gov https://ffiec.cfpb.gov https://*.mapbox.com https://www.google-analytics.com https://s3.amazonaws.com http://*.algolia.net https://stats.g.doubleclick.net;";
+  add_header Content-Security-Policy "default-src 'self' blob:; 
+    script-src 'self' 'unsafe-inline' 'unsafe-eval' 'nonce-$request_id' blob: data: ${cfpb_domains} *.consumerfinance.gov dap.digitalgov.gov *.googleanalytics.com *.google-analytics.com *.googletagmanager.com *.mouseflow.com; 
+    style-src 'self' 'unsafe-inline' *.consumerfinance.gov *.googletagmanager.com fonts.googleapis.com; 
+    img-src 'self' *.consumerfinance.gov s3.amazonaws.com *.google-analytics.com *.googletagmanager.com blob: data: *.mouseflow.com; 
+    frame-src 'self' *.consumerfinance.gov *.googletagmanager.com *.google-analytics.com mailto: *.mouseflow.com;
+    font-src 'self' https://ffiec.cfpb.gov/ fonts.gstatic.com *.mouseflow.com;
+    connect-src 'self' ${cfpb_domains} *.consumerfinance.gov https://ffiec-api.cfpb.gov https://ffiec.cfpb.gov *.google-analytics.com s3.amazonaws.com *.mouseflow.com;
+    child-src 'self' *.mouseflow.com;";
 
   # Restrict referrer
   add_header Referrer-Policy "strict-origin";
@@ -137,4 +144,4 @@ http {
     location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 418; }
   }
 
-}
+}