From 38a23899c4985362f92074703118732380f622ad Mon Sep 17 00:00:00 2001 From: john-rock Date: Mon, 9 Dec 2024 16:14:49 -0500 Subject: [PATCH 1/8] add strict csp policy --- website/vercel.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/vercel.json b/website/vercel.json index fa90697a517..fac47ebede7 100644 --- a/website/vercel.json +++ b/website/vercel.json @@ -3651,7 +3651,7 @@ }, { "key": "Content-Security-Policy", - "value": "img-src 'self' data: https:;" + "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://*.getdbt.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https: blob:; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com; frame-src 'self' https://www.youtube.com https://www.loom.com; connect-src 'self' https://*.getdbt.com https://*.algolia.net https://*.algolianet.com https://www.google-analytics.com; object-src 'none'; base-uri 'self'; form-action 'self';" }, { "key": "Strict-Transport-Security", From 24e44ea26e8f106f7e6cdf8c9bb435aebe4e9047 Mon Sep 17 00:00:00 2001 From: john-rock Date: Mon, 9 Dec 2024 16:28:15 -0500 Subject: [PATCH 2/8] update more resources --- website/vercel.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/vercel.json b/website/vercel.json index fac47ebede7..4de52e96391 100644 --- a/website/vercel.json +++ b/website/vercel.json @@ -3651,7 +3651,7 @@ }, { "key": "Content-Security-Policy", - "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://*.getdbt.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https: blob:; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com; frame-src 'self' https://www.youtube.com https://www.loom.com; connect-src 'self' https://*.getdbt.com https://*.algolia.net https://*.algolianet.com https://www.google-analytics.com; object-src 'none'; base-uri 'self'; form-action 'self';" + "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://*.getdbt.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; img-src 'self' data: https: blob:; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com; frame-src 'self' https://www.youtube.com https://www.loom.com https://app.mutinyhq.com https://www.wistia.com; connect-src 'self' https://*.getdbt.com https://*.algolia.net https://*.algolianet.com https://www.google-analytics.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors https://app.mutinyhq.com *.getdbt.com *.vercel.app http://localhost:3000" }, { "key": "Strict-Transport-Security", From c0851e1b8b1d1cccaf29676ecfd3e1bd256aaffd Mon Sep 17 00:00:00 2001 From: john-rock Date: Mon, 9 Dec 2024 16:29:26 -0500 Subject: [PATCH 3/8] update wistia --- website/vercel.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/vercel.json b/website/vercel.json index 4de52e96391..b0fbb1d0f19 100644 --- a/website/vercel.json +++ b/website/vercel.json @@ -3651,7 +3651,7 @@ }, { "key": "Content-Security-Policy", - "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://*.getdbt.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; img-src 'self' data: https: blob:; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com; frame-src 'self' https://www.youtube.com https://www.loom.com https://app.mutinyhq.com https://www.wistia.com; connect-src 'self' https://*.getdbt.com https://*.algolia.net https://*.algolianet.com https://www.google-analytics.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors https://app.mutinyhq.com *.getdbt.com *.vercel.app http://localhost:3000" + "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://*.getdbt.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; img-src 'self' data: https: blob:; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com; frame-src 'self' https://www.youtube.com https://www.loom.com https://app.mutinyhq.com https://*.wistia.com; connect-src 'self' https://*.getdbt.com https://*.algolia.net https://*.algolianet.com https://www.google-analytics.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors https://app.mutinyhq.com *.getdbt.com *.vercel.app http://localhost:3000" }, { "key": "Strict-Transport-Security", From d2d7b35e23fef356aea0aa7bd4fed1365e303f65 Mon Sep 17 00:00:00 2001 From: john-rock Date: Mon, 9 Dec 2024 16:35:05 -0500 Subject: [PATCH 4/8] url updates --- website/vercel.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/vercel.json b/website/vercel.json index b0fbb1d0f19..16c31a3ba59 100644 --- a/website/vercel.json +++ b/website/vercel.json @@ -3651,7 +3651,7 @@ }, { "key": "Content-Security-Policy", - "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://*.getdbt.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; img-src 'self' data: https: blob:; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com; frame-src 'self' https://www.youtube.com https://www.loom.com https://app.mutinyhq.com https://*.wistia.com; connect-src 'self' https://*.getdbt.com https://*.algolia.net https://*.algolianet.com https://www.google-analytics.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors https://app.mutinyhq.com *.getdbt.com *.vercel.app http://localhost:3000" + "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://*.getdbt.com https://solve-widget.forethought.ai https://*.mutinycdn.com https://cdn.jsdelivr.net https://code.jquery.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; img-src 'self' data: https: blob:; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com; frame-src 'self' https://www.youtube.com https://www.loom.com; connect-src 'self' https://*.getdbt.com https://*.algolia.net https://*.algolianet.com https://www.google-analytics.com; object-src 'none'; base-uri 'self'; form-action 'self';" }, { "key": "Strict-Transport-Security", From a5c5aa056a90529379f1615355b7963befb8ad0f Mon Sep 17 00:00:00 2001 From: john-rock Date: Mon, 9 Dec 2024 16:41:28 -0500 Subject: [PATCH 5/8] revert all for testing --- website/vercel.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/vercel.json b/website/vercel.json index 16c31a3ba59..fa90697a517 100644 --- a/website/vercel.json +++ b/website/vercel.json @@ -3651,7 +3651,7 @@ }, { "key": "Content-Security-Policy", - "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://*.getdbt.com https://solve-widget.forethought.ai https://*.mutinycdn.com https://cdn.jsdelivr.net https://code.jquery.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; img-src 'self' data: https: blob:; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com; frame-src 'self' https://www.youtube.com https://www.loom.com; connect-src 'self' https://*.getdbt.com https://*.algolia.net https://*.algolianet.com https://www.google-analytics.com; object-src 'none'; base-uri 'self'; form-action 'self';" + "value": "img-src 'self' data: https:;" }, { "key": "Strict-Transport-Security", From fb3ecac84dc8a6d345fc178bc68320b031771c83 Mon Sep 17 00:00:00 2001 From: john-rock Date: Tue, 10 Dec 2024 14:38:45 -0500 Subject: [PATCH 6/8] add frame ancestors --- website/vercel.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/vercel.json b/website/vercel.json index fa90697a517..b77e6f5e600 100644 --- a/website/vercel.json +++ b/website/vercel.json @@ -3651,7 +3651,7 @@ }, { "key": "Content-Security-Policy", - "value": "img-src 'self' data: https:;" + "value": "img-src 'self' data: https:; frame-ancestors 'self' https://*.youtube.com https://*.wistia.com https://app.mutinyhq.com *.getdbt.com *.vercel.app http://localhost:3000" }, { "key": "Strict-Transport-Security", From 38ca2b6f03a04bd64af961fdcd5ac5249cc7051e Mon Sep 17 00:00:00 2001 From: john-rock Date: Tue, 10 Dec 2024 15:12:46 -0500 Subject: [PATCH 7/8] add frame ancestors --- website/vercel.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/vercel.json b/website/vercel.json index b77e6f5e600..b389e7bddde 100644 --- a/website/vercel.json +++ b/website/vercel.json @@ -3651,7 +3651,7 @@ }, { "key": "Content-Security-Policy", - "value": "img-src 'self' data: https:; frame-ancestors 'self' https://*.youtube.com https://*.wistia.com https://app.mutinyhq.com *.getdbt.com *.vercel.app http://localhost:3000" + "value": "img-src 'self' data: https:; frame-ancestors 'self' https://app.mutinyhq.com https://*.getdbt.com" }, { "key": "Strict-Transport-Security", From 121ed9ef75d8c23b00c41239878e6262786d63a2 Mon Sep 17 00:00:00 2001 From: john-rock Date: Tue, 10 Dec 2024 15:31:49 -0500 Subject: [PATCH 8/8] update mutiny domain --- website/vercel.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/vercel.json b/website/vercel.json index b389e7bddde..b68dc053db9 100644 --- a/website/vercel.json +++ b/website/vercel.json @@ -3651,7 +3651,7 @@ }, { "key": "Content-Security-Policy", - "value": "img-src 'self' data: https:; frame-ancestors 'self' https://app.mutinyhq.com https://*.getdbt.com" + "value": "img-src 'self' data: https:; frame-ancestors 'self' https://*.mutinyhq.com https://*.getdbt.com" }, { "key": "Strict-Transport-Security",