From f6d47fcc9a5d9c02a8b8059f34e64adcc000db76 Mon Sep 17 00:00:00 2001 From: Alexander Marks Date: Thu, 7 Oct 2021 09:14:28 -0700 Subject: [PATCH 1/2] Enable enforced CSP --- .../src/middleware/content-security-policy-middleware.ts | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts b/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts index 6d47cdbac..4f86262fc 100644 --- a/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts +++ b/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts @@ -201,9 +201,7 @@ export const contentSecurityPolicyMiddleware = ( } else { policy = strictFallbackCsp; } - // TODO(aomarks) Remove -Report-Only suffix when we are confident the - // policy is working. - ctx.set('Content-Security-Policy-Report-Only', policy); + ctx.set('Content-Security-Policy', policy); return next(); }; }; From 409ae8ed1569aa2e1d76adcffe4f88034f226e57 Mon Sep 17 00:00:00 2001 From: Alexander Marks Date: Thu, 7 Oct 2021 09:54:15 -0700 Subject: [PATCH 2/2] Add google analytics to img-src --- .../src/middleware/content-security-policy-middleware.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts b/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts index 4f86262fc..7fc547d78 100644 --- a/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts +++ b/packages/lit-dev-server/src/middleware/content-security-policy-middleware.ts @@ -121,8 +121,12 @@ export const contentSecurityPolicyMiddleware = ( // TODO(aomarks) We use some data: URLs for SVGs in docs.css. There's // probably a simpler way. + // // The ytimg.com domain is needed for embedded YouTube videos. - `img-src 'self' data: https://i.ytimg.com/`, + // + // The googletagmanager.com domain is needed for Google Analytics + // (https://developers.google.com/tag-manager/web/csp). + `img-src 'self' data: https://i.ytimg.com/ https://www.googletagmanager.com/`, // Disallow any embeds, applets, etc. This would usually be covered by // `default-src: 'none'`, but we can't set that for the reason explained