Fix #817 - Add additional avatar URLs to IMG CSP

mozilla · May 26, 2021 · 7aa3a69 · 7aa3a69
1 parent 5438e77
commit 7aa3a69
Showing 1 changed file with 14 additions and 8 deletions.
diff --git a/privaterelay/settings.py b/privaterelay/settings.py
@@ -55,9 +55,18 @@
 )
 # maps fxa profile hosts to respective avatar hosts for CSP
 AVATAR_IMG_SRC_MAP = {
-    'https://stable.dev.lcip.org/profile/v1':   'stable.dev.lcip.org',
-    'https://profile.stage.mozaws.net/v1':      'mozillausercontent.com',
-    'https://profile.accounts.firefox.com/v1':  'firefoxusercontent.com',
+    'https://stable.dev.lcip.org/profile/v1':      [
+        'stable.dev.lcip.org',
+        'https://stable.dev.lcip.org/profile/v1/avatar/w',
+    ],
+    'https://profile.stage.mozaws.net/v1':      [
+        'mozillausercontent.com',
+        'https://profile.stage.mozaws.net/v1/avatar/w',
+    ],
+    'https://profile.accounts.firefox.com/v1':  [
+        'firefoxusercontent.com',
+        'https://profile.accounts.firefox.com/v1/avatar/w',
+    ],
 }
 AVATAR_IMG_SRC = AVATAR_IMG_SRC_MAP[config(
     'FXA_PROFILE_ENDPOINT', 'https://profile.accounts.firefox.com/v1'
@@ -73,11 +82,8 @@
     'https://www.google-analytics.com/',
 )
 CSP_STYLE_SRC = ("'self'",)
-CSP_IMG_SRC = (
-    "'self'",
-    AVATAR_IMG_SRC,
-)
-REFERRER_POLICY = 'strict-origin-when-cross-origin'
+CSP_IMG_SRC = ["'self'"] + AVATAR_IMG_SRC
+REFERRER_POLICY = 'strict-origin-when-cross-origin' \
 
 ALLOWED_HOSTS = []
 DJANGO_ALLOWED_HOST = config('DJANGO_ALLOWED_HOST', None)