Merge pull request #4693 from blockscout/vb-csp-fix

CSP fix: allow only Trustwallet assets repo from Github
3 years ago · a40b0cd564
parent bee3da8df5 4b8f7f73ab
commit a40b0cd564
3 changed files with 3 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -10,7 +10,7 @@
 - [#4625](https://github.com/blockscout/blockscout/pull/4625) - Contract address page: Add implementation link to the overview of proxy contracts
 - [#4624](https://github.com/blockscout/blockscout/pull/4624) - Support HTML tags in alert message
 - [#4608](https://github.com/blockscout/blockscout/pull/4608), [#4622](https://github.com/blockscout/blockscout/pull/4622) - Block Details page: Improved style of transactions button
- [#4596](https://github.com/blockscout/blockscout/pull/4596), [#4681](https://github.com/blockscout/blockscout/pull/4681) - Display token icon for bridged with Mainnet tokens or identicons for other tokens
+- [#4596](https://github.com/blockscout/blockscout/pull/4596), [#4681](https://github.com/blockscout/blockscout/pull/4681), [#4693](https://github.com/blockscout/blockscout/pull/4693) - Display token icon for bridged with Mainnet tokens or identicons for other tokens
 - [#4520](https://github.com/blockscout/blockscout/pull/4520) - Add support for EIP-1559
 - [#4593](https://github.com/blockscout/blockscout/pull/4593) - Add status in `Position` pane for txs have no block
 - [#4579](https://github.com/blockscout/blockscout/pull/4579) - Write contract page: Resize inputs; Improve multiplier selector
--- a/apps/block_scout_web/assets/static/manifest.webmanifest
+++ b/apps/block_scout_web/assets/static/manifest.webmanifest
@ -15,7 +15,5 @@
    ],
    "theme_color": "#ffffff",
    "background_color": "#ffffff",
-    "display": "standalone",
-    "permissions": [ "https://raw.githubusercontent.com/" ],
-    "content_security_policy": "connect-src 'self' raw.githubusercontent.com;"
+    "display": "standalone"
 }
--- a/apps/block_scout_web/lib/block_scout_web/csp_header.ex
+++ b/apps/block_scout_web/lib/block_scout_web/csp_header.ex
@ -11,7 +11,7 @@ defmodule BlockScoutWeb.CSPHeader do
  def call(conn, _opts) do
    Controller.put_secure_browser_headers(conn, %{
      "content-security-policy" => "\
-        connect-src 'self' #{websocket_endpoints(conn)} https://request-global.czilladx.com/ https://raw.githubusercontent.com/;\
+        connect-src 'self' #{websocket_endpoints(conn)} https://request-global.czilladx.com/ https://raw.githubusercontent.com/trustwallet/assets/;\
        default-src 'self';\
        script-src 'self' 'unsafe-inline' 'unsafe-eval' https://coinzillatag.com;\
        style-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com;\