From 234d62d24290e795affb54131c40fef7368ea643 Mon Sep 17 00:00:00 2001
From: Yudi <12040397+Yudi@users.noreply.github.com>
Date: Tue, 1 Oct 2024 10:07:33 -0300
Subject: [PATCH] feat: update csp

---
 docker/frontend/nginx/default.conf | 72 ++++++++++++++++++++----------
 1 file changed, 48 insertions(+), 24 deletions(-)

diff --git a/docker/frontend/nginx/default.conf b/docker/frontend/nginx/default.conf
index ad6f35f7..b31f65a5 100755
--- a/docker/frontend/nginx/default.conf
+++ b/docker/frontend/nginx/default.conf
@@ -12,7 +12,7 @@ server {
     location / {
         root   /usr/share/nginx/html;
         try_files $uri $uri/ $uri.html /index.html;
-        limit_except GET HEAD POST { deny all; };
+        limit_except GET HEAD POST { deny all; }
 
         # CSP nonce
         set $cspNonce $request_id;
@@ -26,51 +26,75 @@ server {
         # CSP header
         add_header Content-Security-Policy "
         script-src 'self' 'nonce-$cspNonce'
-          https://plausible.cacic.dev.br/js/
+	        https://plausible.cacic.dev.br/js/
           https://www.googletagmanager.com/gtag/
           https://www.google.com/recaptcha/
           https://accounts.google.com/gsi/
           https://ajax.cloudflare.com
           https://static.cloudflareinsights.com
           https://www.gstatic.com/recaptcha/
-          'wasm-unsafe-eval';
+	        'wasm-unsafe-eval';
+	      script-src-elem * 'unsafe-inline';
+	      script-src-attr * 'unsafe-inline';
         style-src 'self' 'nonce-$cspNonce'  
           https://accounts.google.com/gsi/style ;
+	      style-src-elem * 'unsafe-inline';
         object-src 'none'; 
-        base-uri 'self'; 
+        base-uri 'self' ; 
         frame-ancestors 'none';
-        worker-src 'self';
+        worker-src 'self' blob:;
         frame-src https://www.google.com/recaptcha/ 
           https://accounts.google.com/ ;
         img-src 'self' 
+          # Allows user-uploaded receipts
+          data: 
+	        https://firebasestorage.googleapis.com/v0/b/fct-pp.appspot.com/
           https://lh3.googleusercontent.com/a/ 
           https://tile.openstreetmap.org/
-          https://cdn.jsdelivr.net/gh/twitter/twemoji@latest/assets/svg/ ;
+	        https://cdn.jsdelivr.net/gh/pointhi/leaflet-color-markers@master/
+	        https://cdn.jsdelivr.net/gh/twitter/twemoji@latest/assets/svg/ ;
         connect-src 'self'  
-          https://plausible.cacic.dev.br/api/
-          https://plausible.cacic.dev.br/js/
+          # Must be updated when version changes
+		      https://fastly.jsdelivr.net/npm/zxing-wasm@1.2.12/dist/full/zxing_full.wasm
           https://firestore.googleapis.com/
-          https://identitytoolkit.googleapis.com/
-          https://firebaseinstallations.googleapis.com/
-          https://securetoken.googleapis.com/
-          https://content-firebaseappcheck.googleapis.com/
-          https://firebaseremoteconfig.googleapis.com/
-          https://www.google.com/recaptcha/
-          https://firebase.googleapis.com/
-          https://www.gstatic.com/recaptcha/
-          https://www.googletagmanager.com/
-          https://www.google-analytics.com/g/
-          https://accounts.google.com/gsi/client
+		      https://plausible.cacic.dev.br/api/
+		      https://plausible.cacic.dev.br/js/
+		      https://identitytoolkit.googleapis.com/
+		      https://fct-pp.appspot.com/
+		      https://fct-pp.firebaseapp.com/
+		      https://firebasestorage.googleapis.com/v0/b/fct-pp.appspot.com/
+		      https://firebaseinstallations.googleapis.com/
+		      https://securetoken.googleapis.com/
+		      https://content-firebaseappcheck.googleapis.com/
+		      https://firebaseremoteconfig.googleapis.com/
+		      https://www.google.com/recaptcha/
+		      https://firebase.googleapis.com/
+		      https://www.gstatic.com/recaptcha/
+		      https://www.googletagmanager.com/
+		      https://www.google-analytics.com/g/
+		      https://accounts.google.com/gsi/client
+		      https://lh3.googleusercontent.com/
+		      https://tile.openstreetmap.org/
+		      https://accounts.google.com/gsi/style
+		      https://glitchtip.cacic.dev.br
+		      https://southamerica-east1-fct-pp.cloudfunctions.net
+		      https://api.open-meteo.com/v1/forecast
+          https://cdn.jsdelivr.net/gh/twitter/twemoji@latest/assets/svg/ 
           https://cdn.jsdelivr.net/gh/cacic-fct/fct-app@main/frontend/src/assets/certificates/templates/
-          https://cdn.jsdelivr.net/gh/cacic-fct/fonts@main/Inter/latin-ext/ ;
-        manifest-src 'self';
-        form-action 'self';
-        default-src 'none';";
+		      https://cdn.jsdelivr.net/gh/cacic-fct/fonts@main/Inter/latin-ext/ ;
+	      manifest-src 'self';
+	      form-action 'self';
+        default-src 'none';
+	      trusted-types angular 
+          angular#unsafe-bypass 
+          angular#bundler 
+          google#safe 
+          goog#html;";
     }
 
     location /health {
         add_header 'Content-Type' 'application/json';
-        return 200 '{"status":"UP"}';
+        return 200 '{"status":"ok"}';
     }
 
     location ~* ^/(docs|documentacao|documentação)/ {