fix(csp): use wildcard for sentry.io for matching subdomains (#1775)

commercetools · Oct 2, 2020 · 57be02b · 57be02b · vercel · Oct 2, 2020
1 parent 08f79ff
commit 57be02b
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/.changeset/beige-beers-join.md b/.changeset/beige-beers-join.md
@@ -0,0 +1,5 @@
+---
+'@commercetools-frontend/mc-html-template': patch
+---
+
+Fix default CSP `connect-src` directive to match all attempts to load from any subdomain of `sentry.io`
diff --git a/packages/mc-html-template/src/process-headers.js b/packages/mc-html-template/src/process-headers.js
@@ -75,7 +75,8 @@ const processHeaders = (applicationConfig) => {
         'clientstream.launchdarkly.com',
         'events.launchdarkly.com',
         'app.getsentry.com',
-        'sentry.io',
+        // Match all attempts to load from any subdomain of `sentry.io`
+        '*.sentry.io',
         'www.google-analytics.com',
       ].concat(
         isMcDevEnv ? ['ws:', 'localhost:8080', 'webpack-internal:'] : []