From b7d508eb466263c06a12cfe51a831ce453cf227a Mon Sep 17 00:00:00 2001
From: Timmy Willison <timmywil@users.noreply.github.com>
Date: Thu, 5 Sep 2024 10:14:37 -0400
Subject: [PATCH] nginx:grunt: update CSP header to account for scripts/styles
 on gruntjs.com

---
 modules/profile/templates/gruntjscom/site.nginx.erb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb
index 8b95ef6..80088bd 100644
--- a/modules/profile/templates/gruntjscom/site.nginx.erb
+++ b/modules/profile/templates/gruntjscom/site.nginx.erb
@@ -19,7 +19,8 @@ server {
 
     # Add Content Security Policy headers
     add_header Reporting-Endpoints "csp-endpoint=\"https://csp-report-api.openjs-foundation.workers.dev/\""
-    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to csp-endpoint" always;
+    # The SHAs are for inline GA scripts
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' revive.bocoup.com www.google-analytics.com 'sha256-jl/4AZjT8o/P6SGURO7MWYC9FWxqz2COCD/1XBPchLU=' 'sha256-BpeEnlj1KCWLiGFbROjXPqTiovWDb243qYdjW2miRrc='; connect-src 'self'; img-src 'self'; style-src 'self' fonts.googleapis.com; report-to csp-endpoint;" always;
   }
 
   location /.well-known/acme-challenge {