Skip to content

Commit f44001d

Browse files
julianknutsenclaude
julianknutsen
and
claude
committed
fix: add script-src and worker-src to CSP for Sentry replay
- script-src 'unsafe-inline' allows the Google Fonts onload handler - worker-src blob: allows Sentry replay's Web Worker Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 76fcce2 commit f44001d

2 files changed

Lines changed: 2 additions & 2 deletions

File tree

internal/api/security.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ import "net/http"
55
// SecurityHeaders wraps a handler with standard security response headers.
66
func SecurityHeaders(next http.Handler) http.Handler {
77
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
8-
w.Header().Set("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.nango.dev https://*.ingest.us.sentry.io; img-src 'self' data:")
8+
w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.nango.dev https://*.ingest.us.sentry.io; worker-src 'self' blob:; img-src 'self' data:")
99
w.Header().Set("X-Frame-Options", "DENY")
1010
w.Header().Set("X-Content-Type-Options", "nosniff")
1111
w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")

internal/api/security_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ func TestSecurityHeaders(t *testing.T) {
2121
header string
2222
want string
2323
}{
24-
{"Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.nango.dev https://*.ingest.us.sentry.io; img-src 'self' data:"},
24+
{"Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.nango.dev https://*.ingest.us.sentry.io; worker-src 'self' blob:; img-src 'self' data:"},
2525
{"X-Frame-Options", "DENY"},
2626
{"X-Content-Type-Options", "nosniff"},
2727
{"Referrer-Policy", "strict-origin-when-cross-origin"},

0 commit comments

Comments
 (0)