clean up CSP (and block interest-cohort permission)

jakejarvis · jakejarvis · commit 4df964245a67 · 2021-05-17T18:43:26.000-04:00
diff --git a/netlify.toml b/netlify.toml
@@ -68,17 +68,18 @@
     # https://amp.dev/documentation/guides-and-tutorials/optimize-and-measure/secure-pages/
     Content-Security-Policy = '''
     default-src 'self';
-    connect-src 'self' https://*.ampproject.net https://csp-collector.appspot.com/csp/amp https://api.github.com https://platform.twitter.com;
-    font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com;
+    base-uri 'none';
+    connect-src 'self' *.ampproject.net csp-collector.appspot.com/csp/amp api.github.com platform.twitter.com;
+    font-src 'self' fonts.googleapis.com fonts.gstatic.com;
     form-action 'none';
     frame-ancestors 'self';
-    frame-src 'self' https://jakejarvis.github.io https://*.ampproject.net https://cdn.ampproject.org https://app.usefathom.com https://buttons.github.io https://codepen.io https://cdpn.io https://platform.twitter.com https://player.vimeo.com https://www.youtube-nocookie.com;
+    frame-src 'self' jakejarvis.github.io *.ampproject.net cdn.ampproject.org app.usefathom.com buttons.github.io codepen.io cdpn.io platform.twitter.com player.vimeo.com www.youtube-nocookie.com;
     img-src 'self' data: https:;
     manifest-src 'self';
     media-src 'self' data: https:;
     object-src 'none';
-    script-src 'self' 'unsafe-eval' https://cdn.ampproject.org/lts/v0.js https://cdn.ampproject.org/lts/v0/ https://cdn.ampproject.org/viewer/ https://cdn.ampproject.org/rtv/ https://3p.ampproject.net https://buttons.github.io https://gist.github.com https://syndication.twitter.com https://platform.twitter.com https://player.vimeo.com 'sha256-y3Xr/40/KQnUvqk/kZO5us6t3i/I49BsbYjsH8ELhVg=' 'sha256-JGG0npUp+0ABq/NY1azjpQ0WBtm+m5gU58mzF+2DCXY=';
-    style-src 'self' 'unsafe-inline' https://cdn.ampproject.org/rtv/ https://fonts.googleapis.com https://github.githubassets.com;
+    script-src 'self' 'unsafe-eval' cdn.ampproject.org/lts/v0.js cdn.ampproject.org/lts/v0/ cdn.ampproject.org/viewer/ cdn.ampproject.org/rtv/ 3p.ampproject.net buttons.github.io gist.github.com syndication.twitter.com platform.twitter.com player.vimeo.com 'sha256-y3Xr/40/KQnUvqk/kZO5us6t3i/I49BsbYjsH8ELhVg=' 'sha256-JGG0npUp+0ABq/NY1azjpQ0WBtm+m5gU58mzF+2DCXY=';
+    style-src 'self' 'unsafe-inline' cdn.ampproject.org/rtv/ fonts.googleapis.com assets-cdn.github.com github.githubassets.com;
     worker-src 'self';
     block-all-mixed-content;
     report-uri https://jarv.is/api/csp_wizard;
@@ -89,7 +90,7 @@
     {"group":"default","max_age":604800,"endpoints":[{"url":"https://jarv.is/api/report"}],"include_subdomains":false}'''
     # More generic security headers:
     Feature-Policy = "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"
-    Permissions-Policy = "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
+    Permissions-Policy = "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()"
     Referrer-Policy = "no-referrer-when-downgrade"
     X-Content-Type-Options = "nosniff"
     X-Frame-Options = "SAMEORIGIN"
@@ -187,6 +188,10 @@
   from = "/twemoji/svg/*"
   to = "/vendor/emoji/svg/:splat"
   status = 301
+[[redirects]]
+  from = "/vendor/inter/*"
+  to = "/vendor/fonts/:splat"
+  status = 301
 
 # Moved these random sites/projects elsewhere (mostly GitHub Pages) to keep
 # this repo and domain squeaky clean:
