Merge pull request #5069 from FreeCodeCamp/fix/reduce-header-size

Reduce header size

server/middlewares/csp.js

@@ -1,87 +1,55 @@
 import helmet from 'helmet';
 
 const trusted = [
-  "'self'",
-  'blob:',
-  '104.236.218.15',
-  '*.freecodecamp.com',
-  'http://www.freecodecamp.com',
-  'http://freecodecamp.com',
-  'https://www.freecodecamp.com',
-  'https://freecodecamp.com',
-  'https://freecodecamp.org',
-  '*.freecodecamp.org',
-  // NOTE(berks): add the following as the blob above was not covering www
-  'http://www.freecodecamp.org',
-  'ws://freecodecamp.com/',
-  'ws://www.freecodecamp.com/',
-  '*.gstatic.com',
-  '*.google-analytics.com',
-  '*.googleapis.com',
-  '*.google.com',
-  '*.gstatic.com',
-  '*.doubleclick.net',
-  '*.twitter.com',
-  '*.twitch.tv',
-  '*.twimg.com',
-  "'unsafe-eval'",
-  "'unsafe-inline'",
-  '*.bootstrapcdn.com',
-  '*.cloudflare.com',
-  'https://*.cloudflare.com',
-  'localhost:3001',
-  'ws://localhost:3001/',
-  'http://localhost:3001',
-  'localhost:3000',
-  'ws://localhost:3000/',
-  'http://localhost:3000',
-  '*.ionicframework.com',
-  'https://syndication.twitter.com',
-  '*.youtube.com',
-  '*.jsdelivr.net',
-  'https://*.jsdelivr.net',
-  '*.ytimg.com',
-  '*.bitly.com',
-  'http://cdn.inspectlet.com/',
-  'https://cdn.inspeclet.com/',
-  'wss://inspectletws.herokuapp.com/',
-  'http://hn.inspectlet.com/',
-  '*.googleapis.com',
-  '*.gstatic.com',
-  'https://hn.inspectlet.com/',
-  'https://*.github.com'
+  "'self'"
 ];
 
 export default function csp() {
   return helmet.csp({
     defaultSrc: trusted,
     scriptSrc: [
+      "'unsafe-eval'",
+      "'unsafe-inline'",
+      '*.google-analytics.com',
+      '*.gstatic.com',
+      'https://*.cloudflare.com',
+      '*.cloudflare.com',
       'https://*.gitter.im',
-      '*.optimizely.com',
-      '*.aspnetcdn.com',
-      '*.d3js.org',
-      'https://cdn.inspectlet.com/inspectlet.js',
-      'http://cdn.inspectlet.com/inspectlet.js',
-      'http://beta.freecodecamp.com'
+      'https://*.cdnjs.com',
+      '*.cdnjs.com',
+      'https://*.jsdelivr.com',
+      '*.jsdelivr.com',
+      '*.twimg.com',
+      'https://*.twimg.com'
     ].concat(trusted),
-    'connect-src': [
+    connectSrc: [
       'vimeo.com'
     ].concat(trusted),
     styleSrc: [
+      "'unsafe-inline'",
+      '*.gstatic.com',
       '*.googleapis.com',
-      '*.gstatic.com'
+      '*.bootstrapcdn.com',
+      'https://*.bootstrapcdn.com',
+      '*.cloudflare.com',
+      'https://*.cloudflare.com'
+    ].concat(trusted),
+    fontSrc: [
+      '*.cloudflare.com',
+      'https://*.cloudflare.com',
+      '*.bootstrapcdn.com',
+      '*.googleapis.com',
+      '*.gstatic.com',
+      'https://*.bootstrapcdn.com'
     ].concat(trusted),
     imgSrc: [
       // allow all input since we have user submitted images for
       // public profile
       '*',
       'data:'
-    ].concat(trusted),
-    fontSrc: [
-      '*.googleapis.com',
-      '*.gstatic.com'
-    ].concat(trusted),
+    ],
     mediaSrc: [
+      '*.bitly.com',
       '*.amazonaws.com',
       '*.twitter.com'
     ].concat(trusted),
@@ -90,7 +58,8 @@ export default function csp() {
       '*.gitter.im https:',
       '*.vimeo.com',
       '*.twitter.com',
-      '*.ghbtns.com'
+      '*.ghbtns.com',
+      '*.freecatphotoapp.com'
     ].concat(trusted),
     // set to true if you only want to report errors
     reportOnly: false,