Allow ic0.app in CSP (#525)

frederikrothenberger · web-flow · commit 83a273d70fc7 · 2022-02-03T14:30:12.000+01:00
diff --git a/backend-tests/backend-tests.hs b/backend-tests/backend-tests.hs
@@ -437,7 +437,7 @@ validateSecurityHeaders resp = do
     \window-placement=(),\
     \xr-spatial-tracking=()"
   validateHeaderMatches resp "Content-Security-Policy" "^default-src 'none';\
-    \connect-src 'self';\
+    \connect-src 'self' https://ic0.app;\
     \img-src 'self' data:;\
     \script-src 'sha256-[a-zA-Z0-9\\/=+]+' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:;\
     \base-uri 'none';\
diff --git a/src/internet_identity/src/main.rs b/src/internet_identity/src/main.rs
@@ -835,7 +835,7 @@ fn security_headers() -> Vec<HeaderField> {
         (
             "Content-Security-Policy".to_string(),
             "default-src 'none';\
-             connect-src 'self';\
+             connect-src 'self' https://ic0.app;\
              img-src 'self' data:;\
              script-src 'sha256-syYd+YuWeLD80uCtKwbaGoGom63a0pZE5KqgtA7W1d8=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:;\
              base-uri 'none';\

Original file line number	Diff line number	Diff line change
`@@ -835,7 +835,7 @@ fn security_headers() -> Vec<HeaderField> {`
`835`	`835`	`(`
`836`	`836`	`"Content-Security-Policy".to_string(),`
`837`	`837`	`"default-src 'none';\`
`838`		`- connect-src 'self';\`
	`838`	`+ connect-src 'self' https://ic0.app;\`
`839`	`839`	`img-src 'self' data:;\`
`840`	`840`	`script-src 'sha256-syYd+YuWeLD80uCtKwbaGoGom63a0pZE5KqgtA7W1d8=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:;\`
`841`	`841`	`base-uri 'none';\`