DGNum/demarches-normaliennes
15
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

config: add Matomo to the frame_src Content Security Policy

Browse source 
Solves the Matomo iframe being blocked on `/suivi`. Fix #5868
This commit is contained in:
Pierre de La Morinerie 2022-02-15 14:31:31 +00:00
parent 3276db016f
commit c2729ab7e2
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
config/initializers/content_security_policy.rb
View file

@ -31,6 +31,10 @@ Rails.application.config.content_security_policy do |policy|
connect_whitelist << Rails.application.secrets.matomo[:host] if Rails.application.secrets.matomo[:enabled]
policy.connect_src(:self, *connect_whitelist)
frame_whitelist = []
frame_whitelist << URI(MATOMO_IFRAME_URL).host if Rails.application.secrets.matomo[:enabled]
policy.frame_src(:self, *frame_whitelist)
# Pour tout le reste, par défaut on accepte uniquement ce qui vient de chez nous
# et dans la notification on inclue la source de l'erreur
default_whitelist = ["fonts.gstatic.com", "in-automate.sendinblue.com", "player.vimeo.com", "app.franceconnect.gouv.fr", "sentry.io", "*.crisp.chat", "crisp.chat", "*.crisp.help", "*.sibautomation.com", "sibautomation.com", "data"]