Minor fixes

Improve how we link to external fonts, change csp generating code, fix width of pagination links
2020-06-25 20:50:32 +01:00 · 2020-06-25 20:50:32 +01:00 · 868efc36f6
commit 868efc36f6
parent c4af4b9984
8 changed files with 164 additions and 150 deletions
--- a/app/Http/Middleware/CSPHeader.php
+++ b/app/Http/Middleware/CSPHeader.php
@ -22,53 +22,24 @@ class CSPHeader
        return $next($request)
            ->header(
                'Content-Security-Policy',
-                str_replace("\\\n", '', "default-src 'self'; \
-script-src 'self' 'unsafe-inline' 'unsafe-eval' \
-https://api.mapbox.com \
-https://api.tiles.mapbox.com \
-https://analytics.jmb.lv \
-https://fathom.jonnybarnes.uk \
-blob:; \
-style-src 'self' 'unsafe-inline' \
-https://api.mapbox.com \
-https://api.tiles.mapbox.com \
-cloud.typography.com; \
-img-src 'self' data: blob: \
-https://pbs.twimg.com \
-https://api.mapbox.com \
-https://*.tiles.mapbox.com \
-https://jbuk-media.s3-eu-west-1.amazonaws.com \
-https://jbuk-media-dev.s3-eu-west-1.amazonaws.com \
-https://secure.gravatar.com \
-https://graph.facebook.com *.fbcdn.net \
-https://*.cdninstagram.com \
-analytics.jmb.lv \
-https://*.4sqi.net \
-https://upload.wikimedia.org \
-p.typekit.net; \
-font-src 'self' \
-https://fonts.gstatic.com \
-use.typekit.net \
-fonts.typekit.net \
-data:; \
-connect-src 'self' \
-https://api.mapbox.com \
-https://*.tiles.mapbox.com \
-https://events.mapbox.com \
-performance.typekit.net \
-data: blob:; \
-worker-src 'self' blob:; \
-frame-src 'self' https://www.youtube.com blob:; \
-child-src blob:; \
-upgrade-insecure-requests; \
-block-all-mixed-content; \
-report-to csp-endpoint; \
-report-uri https://jonnybarnes.report-uri.io/r/default/csp/enforce;")
+                "default-src 'self'; " .
+                "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://api.mapbox.com https://api.tiles.mapbox.com blob:; " .
+                "style-src 'self' 'unsafe-inline' https://api.mapbox.com https://api.tiles.mapbox.com cloud.typography.com jonnybarnes.uk; " .
+                "img-src 'self' data: blob: https://pbs.twimg.com https://api.mapbox.com https://*.tiles.mapbox.com https://jbuk-media.s3-eu-west-1.amazonaws.com https://jbuk-media-dev.s3-eu-west-1.amazonaws.com https://secure.gravatar.com https://graph.facebook.com *.fbcdn.net https://*.cdninstagram.com https://*.4sqi.net https://upload.wikimedia.org; " .
+                "font-src 'self' data:; " .
+                "connect-src 'self' https://api.mapbox.com https://*.tiles.mapbox.com https://events.mapbox.com data: blob:; " .
+                "worker-src 'self' blob:; " .
+                "frame-src 'self' https://www.youtube.com blob:; " .
+                "child-src blob:; " .
+                "upgrade-insecure-requests; " .
+                "block-all-mixed-content; " .
+                "report-to csp-endpoint; " .
+                "report-uri https://jonnybarnes.report-uri.io/r/default/csp/enforce;"
            )->header(
                'Report-To',
                '{' .
                        "'url': 'https://jonnybarnes.report-uri.io/r/default/csp/enforce', " .
-                        "'group': 'csp-endpoint'," .
+                        "'group': 'csp-endpoint', " .
                        "'max-age': 10886400" .
                '}'
            );