Add google font api to CSP

Lynette Nguyen · Lynette Nguyen · commit 285300f6a029 · 2025-10-29T15:52:14.000+13:00
diff --git a/terraform/lambdas/secure-headers-dev.js b/terraform/lambdas/secure-headers-dev.js
@@ -11,7 +11,7 @@ function handler(event) {
   };
   headers["content-security-policy"] = {
     value:
-      "default-src 'none'; manifest-src 'self'; connect-src 'self' www.google-analytics.com images.ctfassets.net cdn.auckland.ac.nz www.googletagmanager.com fonts.gstatic.com sentry.io *.sentry.io cdn.jsdelivr.net https://apigw.test.amazon.auckland.ac.nz/hub-search-proxy-dev https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_gtuqqgIIq/.well-known/openid-configuration https://rhubcpapi-dev.connect.test.amazon.auckland.ac.nz https://uoapool-nonprod.auth.ap-southeast-2.amazoncognito.com/oauth2/token https://apigw.test.amazon.auckland.ac.nz/content-graph-api-dev/graph https://*.google-analytics.com https://analytics.google.com https://*.analytics.google.com https://*.googletagmanager.com; font-src https://cdn.auckland.ac.nz https://fonts.gstatic.com; frame-src https://www.youtube.com; img-src 'self' https://images.ctfassets.net www.googletagmanager.com https://www.google-analytics.com https://*.google-analytics.com https://*.googletagmanager.com data:; script-src 'self' 'unsafe-eval' https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtm.js https://www.googletagmanager.com/debug/bootstrap https://www.googletagmanager.com/gtag/js https://*.googletagmanager.com; style-src 'self' 'unsafe-inline'; report-uri https://o991241.ingest.sentry.io/api/5948230/security/?sentry_key=eb04735190794f63abc9c1ddd3d73f64&sentry_environment=dev",
+      "default-src 'none'; manifest-src 'self'; connect-src 'self' www.google-analytics.com images.ctfassets.net cdn.auckland.ac.nz www.googletagmanager.com fonts.gstatic.com sentry.io *.sentry.io cdn.jsdelivr.net https://apigw.test.amazon.auckland.ac.nz/hub-search-proxy-dev https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_gtuqqgIIq/.well-known/openid-configuration https://rhubcpapi-dev.connect.test.amazon.auckland.ac.nz https://uoapool-nonprod.auth.ap-southeast-2.amazoncognito.com/oauth2/token https://apigw.test.amazon.auckland.ac.nz/content-graph-api-dev/graph https://*.google-analytics.com https://analytics.google.com https://*.analytics.google.com https://*.googletagmanager.com https://fonts.googleapis.com; font-src https://cdn.auckland.ac.nz https://fonts.gstatic.com; frame-src https://www.youtube.com; img-src 'self' https://images.ctfassets.net www.googletagmanager.com https://www.google-analytics.com https://*.google-analytics.com https://*.googletagmanager.com data:; script-src 'self' 'unsafe-eval' https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtm.js https://www.googletagmanager.com/debug/bootstrap https://www.googletagmanager.com/gtag/js https://*.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; report-uri https://o991241.ingest.sentry.io/api/5948230/security/?sentry_key=eb04735190794f63abc9c1ddd3d73f64&sentry_environment=dev",
   };
   headers["x-content-type-options"] = { value: "nosniff" };
   headers["x-frame-options"] = { value: "DENY" };
diff --git a/terraform/lambdas/secure-headers-prod.js b/terraform/lambdas/secure-headers-prod.js
@@ -11,7 +11,7 @@ function handler(event) {
   };
   headers["content-security-policy"] = {
     value:
-      "default-src 'none'; manifest-src 'self'; connect-src 'self' www.google-analytics.com images.ctfassets.net cdn.auckland.ac.nz www.googletagmanager.com fonts.gstatic.com sentry.io *.sentry.io cdn.jsdelivr.net https://apigw.prod.amazon.auckland.ac.nz/hub-search-proxy-prod https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_B3Lx9B4bL/.well-known/openid-configuration https://rhubcpapi.auckland.ac.nz https://uoapool.auth.ap-southeast-2.amazoncognito.com/oauth2/token https://apigw.prod.amazon.auckland.ac.nz/content-graph-api-prod/graph https://*.google-analytics.com https://analytics.google.com https://*.analytics.google.com https://*.googletagmanager.com; font-src https://cdn.auckland.ac.nz https://fonts.gstatic.com; frame-src https://www.youtube.com; img-src 'self' https://images.ctfassets.net www.googletagmanager.com https://www.google-analytics.com https://*.google-analytics.com https://*.googletagmanager.com data:; script-src 'self' 'unsafe-eval' https://www.google-analytics.com/analytics.js https://www.googletagmanager.com https://www.googletagmanager.com/gtm.js https://www.googletagmanager.com/debug/bootstrap https://www.googletagmanager.com/gtag/js https://*.googletagmanager.com; style-src 'self' 'unsafe-inline'; report-uri https://o991241.ingest.sentry.io/api/5948230/security/?sentry_key=eb04735190794f63abc9c1ddd3d73f64&sentry_environment=prod",
+      "default-src 'none'; manifest-src 'self'; connect-src 'self' www.google-analytics.com images.ctfassets.net cdn.auckland.ac.nz www.googletagmanager.com fonts.gstatic.com sentry.io *.sentry.io cdn.jsdelivr.net https://apigw.prod.amazon.auckland.ac.nz/hub-search-proxy-prod https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_B3Lx9B4bL/.well-known/openid-configuration https://rhubcpapi.auckland.ac.nz https://uoapool.auth.ap-southeast-2.amazoncognito.com/oauth2/token https://apigw.prod.amazon.auckland.ac.nz/content-graph-api-prod/graph https://*.google-analytics.com https://analytics.google.com https://*.analytics.google.com https://*.googletagmanager.com https://fonts.googleapis.com; font-src https://cdn.auckland.ac.nz https://fonts.gstatic.com; frame-src https://www.youtube.com; img-src 'self' https://images.ctfassets.net www.googletagmanager.com https://www.google-analytics.com https://*.google-analytics.com https://*.googletagmanager.com data:; script-src 'self' 'unsafe-eval' https://www.google-analytics.com/analytics.js https://www.googletagmanager.com https://www.googletagmanager.com/gtm.js https://www.googletagmanager.com/debug/bootstrap https://www.googletagmanager.com/gtag/js https://*.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; report-uri https://o991241.ingest.sentry.io/api/5948230/security/?sentry_key=eb04735190794f63abc9c1ddd3d73f64&sentry_environment=prod",
   };
   headers["x-content-type-options"] = { value: "nosniff" };
   headers["x-frame-options"] = { value: "DENY" };
diff --git a/terraform/lambdas/secure-headers-test.js b/terraform/lambdas/secure-headers-test.js
@@ -11,7 +11,7 @@ function handler(event) {
   };
   headers["content-security-policy"] = {
     value:
-      "default-src 'none'; manifest-src 'self'; connect-src 'self' www.google-analytics.com images.ctfassets.net cdn.auckland.ac.nz www.googletagmanager.com fonts.gstatic.com sentry.io *.sentry.io cdn.jsdelivr.net https://apigw.test.amazon.auckland.ac.nz/hub-search-proxy-test https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_gtuqqgIIq/.well-known/openid-configuration https://rhubcpapi.connect.test.amazon.auckland.ac.nz https://uoapool-nonprod.auth.ap-southeast-2.amazoncognito.com/oauth2/token https://apigw.test.amazon.auckland.ac.nz/content-graph-api-test/graph https://*.google-analytics.com https://analytics.google.com https://*.analytics.google.com https://*.googletagmanager.com; font-src https://cdn.auckland.ac.nz https://fonts.gstatic.com; frame-src https://www.youtube.com; img-src 'self' https://images.ctfassets.net www.googletagmanager.com https://www.google-analytics.com https://*.google-analytics.com https://*.googletagmanager.com data:; script-src 'self' 'unsafe-eval' https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtm.js https://www.googletagmanager.com/debug/bootstrap https://www.googletagmanager.com/gtag/js https://*.googletagmanager.com; style-src 'self' 'unsafe-inline'; report-uri https://o991241.ingest.sentry.io/api/5948230/security/?sentry_key=eb04735190794f63abc9c1ddd3d73f64&sentry_environment=test",
+      "default-src 'none'; manifest-src 'self'; connect-src 'self' www.google-analytics.com images.ctfassets.net cdn.auckland.ac.nz www.googletagmanager.com fonts.gstatic.com sentry.io *.sentry.io cdn.jsdelivr.net https://apigw.test.amazon.auckland.ac.nz/hub-search-proxy-test https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_gtuqqgIIq/.well-known/openid-configuration https://rhubcpapi.connect.test.amazon.auckland.ac.nz https://uoapool-nonprod.auth.ap-southeast-2.amazoncognito.com/oauth2/token https://apigw.test.amazon.auckland.ac.nz/content-graph-api-test/graph https://*.google-analytics.com https://analytics.google.com https://*.analytics.google.com https://*.googletagmanager.com https://fonts.googleapis.com; font-src https://cdn.auckland.ac.nz https://fonts.gstatic.com; frame-src https://www.youtube.com; img-src 'self' https://images.ctfassets.net www.googletagmanager.com https://www.google-analytics.com https://*.google-analytics.com https://*.googletagmanager.com data:; script-src 'self' 'unsafe-eval' https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtm.js https://www.googletagmanager.com/debug/bootstrap https://www.googletagmanager.com/gtag/js https://*.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; report-uri https://o991241.ingest.sentry.io/api/5948230/security/?sentry_key=eb04735190794f63abc9c1ddd3d73f64&sentry_environment=test",
   };
   headers["x-content-type-options"] = { value: "nosniff" };
   headers["x-frame-options"] = { value: "DENY" };
