Refactor Content-Security-Policy in .htaccess #811
Conversation
Updated Content-Security-Policy to simplify directives and enhance security.
✅ Deploy Preview for skywalking-website-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
This PR refactors the Content-Security-Policy (CSP) in .htaccess by tightening the default policy while adding new security directives and modifying resource-specific policies. The changes aim to simplify and restructure the CSP configuration.
Changes:
- Tightened
default-srcfrom'self' https: data: 'unsafe-inline'to just'self' - Changed several resource directives (
style-src,img-src) from specific hcaptcha domains to broadhttps:wildcards - Added new security directives:
font-src,media-src,base-uri, andform-action
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| img-src 'self' data: https://hcaptcha.com https://*.hcaptcha.com; \ | ||
| frame-ancestors 'self'; \ | ||
| frame-src 'self' https://www.youtube.com https://player.bilibili.com https://*.hcaptcha.com; \ | ||
| style-src 'self' 'unsafe-inline' https:; \ |
There was a problem hiding this comment.
The style-src directive has been changed from specific hcaptcha domains to a broad https: wildcard, which allows loading stylesheets from any HTTPS source. This loosens security compared to the previous configuration.
While this may be intentional for flexibility, it reduces protection against potential attacks. If the application only needs styles from specific known domains, consider restricting this to those domains rather than allowing all HTTPS sources. For example, if you need styles from hcaptcha and specific CDNs, list them explicitly.
| style-src 'self' 'unsafe-inline' https:; \ | |
| style-src 'self' 'unsafe-inline' https://js.hcaptcha.com https://*.hcaptcha.com; \ |
| frame-ancestors 'self'; \ | ||
| frame-src 'self' https://www.youtube.com https://player.bilibili.com https://*.hcaptcha.com; \ | ||
| style-src 'self' 'unsafe-inline' https:; \ | ||
| img-src 'self' data: https:; \ |
There was a problem hiding this comment.
The img-src directive has been changed from specific hcaptcha domains to a broad https: wildcard, which allows loading images from any HTTPS source. This loosens security compared to the previous configuration.
While this provides flexibility, it reduces protection against potential image-based attacks or data exfiltration. If the application only needs images from specific known domains, consider restricting this to those domains rather than allowing all HTTPS sources. This is particularly important for user-facing applications where malicious actors might exploit this to load tracking pixels or other unwanted content.
| img-src 'self' data: https:; \ | |
| img-src 'self' data: https://js.hcaptcha.com https://*.hcaptcha.com; \ |
| frame-src 'self' https://www.youtube.com https://player.bilibili.com https://*.hcaptcha.com; \ | ||
| style-src 'self' 'unsafe-inline' https:; \ | ||
| img-src 'self' data: https:; \ | ||
| font-src 'self' data: https:; \ |
There was a problem hiding this comment.
The newly added font-src directive allows fonts from any HTTPS source with the broad https: wildcard. This is quite permissive and could potentially be exploited.
If the application uses fonts from specific sources (like Google Fonts, Adobe Fonts, or specific CDNs), consider listing only those specific domains instead of allowing all HTTPS sources. If custom fonts are only served from your own domain, font-src 'self' data: would be more secure.
| font-src 'self' data: https:; \ | |
| font-src 'self' data:; \ |
| style-src 'self' 'unsafe-inline' https:; \ | ||
| img-src 'self' data: https:; \ | ||
| font-src 'self' data: https:; \ | ||
| media-src 'self' https:; \ |
There was a problem hiding this comment.
The newly added media-src directive allows media from any HTTPS source with the broad https: wildcard. This is quite permissive.
If the application serves media from specific sources (like your own domain or specific CDNs), consider listing only those specific domains instead of allowing all HTTPS sources. If media is only served from your own domain, media-src 'self' would be more secure. Note that video embeds from YouTube and Bilibili are already covered by frame-src, so media-src is for direct audio/video elements.
| media-src 'self' https:; \ | |
| media-src 'self'; \ |
| Header always set Content-Security-Policy "default-src 'self'; \ | ||
| script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://js.hcaptcha.com https://*.hcaptcha.com; \ | ||
| connect-src 'self' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://*.hcaptcha.com; \ | ||
| style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; \ | ||
| img-src 'self' data: https://hcaptcha.com https://*.hcaptcha.com; \ | ||
| frame-ancestors 'self'; \ | ||
| frame-src 'self' https://www.youtube.com https://player.bilibili.com https://*.hcaptcha.com; \ | ||
| style-src 'self' 'unsafe-inline' https:; \ | ||
| img-src 'self' data: https:; \ | ||
| font-src 'self' data: https:; \ | ||
| media-src 'self' https:; \ | ||
| object-src 'none'; \ | ||
| frame-ancestors 'self'; \ | ||
| base-uri 'self'; \ | ||
| form-action 'self'; \ | ||
| upgrade-insecure-requests;" |
There was a problem hiding this comment.
The description claims this update will "enhance security," but several directives have been loosened from specific domains to broad https: wildcards (style-src, img-src, font-src, media-src). This actually reduces security by allowing resources from any HTTPS source rather than specific trusted domains.
While the addition of base-uri and form-action directives does improve security in those specific areas, and tightening default-src is generally good, the overall net effect may not be a security enhancement due to the loosened resource directives. Please verify that this tradeoff is intentional and aligns with your security requirements.
| Header always set Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline'; \ | ||
| frame-src 'self' https://www.youtube.com https://player.bilibili.com https://hcaptcha.com https://*.hcaptcha.com; \ | ||
| script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://hcaptcha.com https://*.hcaptcha.com; \ | ||
| Header always set Content-Security-Policy "default-src 'self'; \ |
There was a problem hiding this comment.
The default-src directive has been significantly tightened from 'self' https: data: 'unsafe-inline' to just 'self'. While this is generally more secure, it means that any resource types without explicit directives will now be restricted to same-origin only.
Missing explicit directives that may be needed:
worker-src- for web workers (if used)manifest-src- for web app manifests (if used)child-src- for workers and nested browsing contexts (deprecated but may be needed for compatibility)
Please verify that the application doesn't use any resource types that aren't covered by the explicit directives now defined (script-src, connect-src, frame-src, style-src, img-src, font-src, media-src, object-src). Without the broader default-src fallback, these resources will be blocked.
1 participant
Updated Content-Security-Policy to simplify directives and enhance security.