From 8eac1dfd10ef8f5930c19020b28b2bfacfb19185 Mon Sep 17 00:00:00 2001
From: titanism <101466223+titanism@users.noreply.github.com>
Date: Fri, 5 Jan 2024 06:46:28 -0600
Subject: [PATCH] fix: fixed csp

---
 app/views/layout.pug | 9 ---------
 config/web.js        | 5 ++++-
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/app/views/layout.pug b/app/views/layout.pug
index 9523cf792a..8a6ddd98ed 100644
--- a/app/views/layout.pug
+++ b/app/views/layout.pug
@@ -375,15 +375,6 @@ html.h-100.no-js(
             crossorigin="anonymous"
           )
 
-        //- TODO: remove plausible and migrate to our own
-        //- analytics via plausible.io
-        if (!user || user.group !== 'admin') && isNotPrivateRoute
-          script(
-            defer,
-            data-domain="forwardemail.net",
-            src="https://plausible.io/js/plausible.js"
-          )
-
         //- cloudflare turnstile (hidden from bots and admins)
         if config.turnstileEnabled && (!user || user.group !== 'admin')
           script(defer, nonce=nonce).
diff --git a/config/web.js b/config/web.js
index 7c3b65a32d..fdab09a3a5 100644
--- a/config/web.js
+++ b/config/web.js
@@ -128,6 +128,7 @@ setInterval(checkGitHubIssues, 60000);
 
 const defaultSrc = isSANB(process.env.WEB_HOST)
   ? [
+      "'none'",
       "'self'",
       'data:',
       `${env.NODE_ENV === 'production' ? 'https://' : 'http://'}*.${
@@ -136,7 +137,9 @@ const defaultSrc = isSANB(process.env.WEB_HOST)
       `${env.NODE_ENV === 'production' ? 'https://' : 'http://'}${
         env.WEB_HOST
       }`,
-      ...(env.NODE_ENV === 'production' ? [] : [`http://${env.WEB_HOST}:*`]),
+      ...(env.NODE_ENV === 'production'
+        ? [`https://${env.WEB_HOST}:*`]
+        : [`http://${env.WEB_HOST}:*`]),
       function (req, res) {
         let nonce;
         for (const s of Object.getOwnPropertySymbols(res)) {