@@ -131,6 +131,84 @@ async function onExpressJsSetup(server) {
131131 return next ( ) ;
132132 } ;
133133
134+ server . use ( ( req , res , next ) => {
135+ res . header ( 'Referrer-Policy' , 'strict-origin-when-cross-origin' ) ;
136+ res . header ( 'Permissions-Policy' , 'geolocation=(), microphone=(), camera=()' ) ;
137+
138+ if ( req . url . startsWith ( '/__community__/veterans' ) || req . hostname === 'veterans.topcoder.com' ) {
139+ res . header (
140+ 'Content-Security-Policy' ,
141+ "default-src 'self';"
142+ + " script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval'"
143+ + ` ${ config . CDN . PUBLIC }
144+ + ' http://www.google-analytics.com'
145+ + ' https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com'
146+ + ' https://assets.ubembed.com'
147+ + ' https://assets.zendesk.com'
148+ + ' https://browser.sentry-cdn.com'
149+ + ' https://cdn.heapanalytics.com'
150+ + ' https://cdn.segment.com'
151+ + ' https://connect.facebook.net'
152+ + ' https://d1of0acg2orgco.cloudfront.net'
153+ + ' https://d24oibycet9bsb.cloudfront.net'
154+ + ' https://fast.trychameleon.com'
155+ + ' https://static.zdassets.com'
156+ + ' https://www.googletagmanager.com;'
157+ + " style-src 'report-sample' 'self' 'unsafe-inline'"
158+ + ` ${ config . CDN . PUBLIC }
159+ + ' https://d1of0acg2orgco.cloudfront.net'
160+ + ' https://d24oibycet9bsb.cloudfront.net'
161+ + ' https://d2nl5eqipnb33q.cloudfront.net;'
162+ + " object-src 'none';"
163+ + " base-uri 'self';"
164+ + " connect-src 'self'"
165+ + ` ${ config . API . V2 }
166+ + ` ${ config . API . V3 }
167+ + ` ${ config . API . V4 }
168+ + ` ${ config . API . V5 }
169+ + ` ${ config . CDN . PUBLIC }
170+ + ` ${ config . URL . COMMUNITY_APP }
171+ + ' https://api.segment.io'
172+ + ' https://cdn.segment.com'
173+ + ' https://ekr.zdassets.com'
174+ + ' https://fast.trychameleon.com'
175+ + ' https://topcoder.zendesk.com'
176+ + ' https://stats.g.doubleclick.net'
177+ + ' https://www.google-analytics.com;'
178+ + " font-src 'self'"
179+ + ' data:'
180+ + ` ${ config . CDN . PUBLIC }
181+ + ' https://d1of0acg2orgco.cloudfront.net'
182+ + ' https://d24oibycet9bsb.cloudfront.net'
183+ + ' https://43d132d5dbff47c59d9d53ad448f93c2.js.ubembed.com;'
184+ + " frame-src 'self'"
185+ + ` ${ config . URL . AUTH }
186+ + ' https://www.youtube.com;'
187+ + " img-src 'self'"
188+ + ` ${ config . CDN . PUBLIC }
189+ + ' https://cdn.segment.com'
190+ + ' https://d1of0acg2orgco.cloudfront.net'
191+ + ' https://d24oibycet9bsb.cloudfront.net'
192+ + ' https://d2nl5eqipnb33q.cloudfront.net'
193+ + ' https://images.ctfassets.net'
194+ + ' https://heapanalytics.com'
195+ + ' https://q.quora.com'
196+ + ' https://topcoder-prod-media.s3.amazonaws.com'
197+ + ' https://www.facebook.com'
198+ + ' https://www.google-analytics.com'
199+ + ' https://www.google.com'
200+ + ' https://www.googletagmanager.com'
201+ + ' https://i.ytimg.com;'
202+ + " manifest-src 'self';"
203+ + " media-src 'self';"
204+ + ' report-uri https://623d4c23f90d055298b24042.endpoint.csper.io/?v=0;'
205+ + " worker-src 'self';" ,
206+ ) ;
207+ }
208+
209+ next ( ) ;
210+ } ) ;
211+
134212 /* Log Entries service proxy. */
135213 server . use ( '/community-app-assets/api/logger' , checkAuthorizationHeader , ( req , res ) => {
136214 logger . log ( `${ req . clientIp } , ...req . body . data ) ;
0 commit comments