Merge pull request #6966 from betagouv/fix-matomo-csp

Correction des requêtes Matomo bloquées par la Content Security Policy
This commit is contained in:
Pierre de La Morinerie 2022-02-15 16:02:05 +01:00 committed by GitHub
commit 0d67ca11a9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -28,8 +28,13 @@ Rails.application.config.content_security_policy do |policy|
connect_whitelist << URI(API_ADRESSE_URL).host if API_ADRESSE_URL.present?
connect_whitelist << URI(API_EDUCATION_URL).host if API_EDUCATION_URL.present?
connect_whitelist << URI(API_GEO_URL).host if API_GEO_URL.present?
connect_whitelist << Rails.application.secrets.matomo[:host] if Rails.application.secrets.matomo[:enabled]
policy.connect_src(:self, *connect_whitelist)
frame_whitelist = []
frame_whitelist << URI(MATOMO_IFRAME_URL).host if Rails.application.secrets.matomo[:enabled]
policy.frame_src(:self, *frame_whitelist)
# Pour tout le reste, par défaut on accepte uniquement ce qui vient de chez nous
# et dans la notification on inclue la source de l'erreur
default_whitelist = ["fonts.gstatic.com", "in-automate.sendinblue.com", "player.vimeo.com", "app.franceconnect.gouv.fr", "sentry.io", "*.crisp.chat", "crisp.chat", "*.crisp.help", "*.sibautomation.com", "sibautomation.com", "data"]