Merge pull request #980 from adobecom/MWPW-166463

MWPW-166463: CSP Directives update

acrobat/scripts/contentSecurityPolicy/csp.js

@@ -50,6 +50,6 @@ export default async function ContentSecurityPolicy() {
   // Content Security Policy Logging
   window.cspErrors = [];
   document.addEventListener('securitypolicyviolation', (e) => {
-    window.cspErrors.push(`${e.violatedDirective} violation ¶ Refused to load content from ${e.blockedURI}`);
+    window.cspErrors.push(`${e.violatedDirective} violation ¶ Refused to load content from ${e.blockedURI}, Script location: ${e.sourceFile} Line: ${e.lineNumber} Column: ${e.columnNumber}`);
   });
 }

acrobat/scripts/contentSecurityPolicy/dev.js

@@ -121,6 +121,7 @@ const imgSrc = [
   'stage.adobeccstatic.com',
   '*.clarity.ms',
   '*.enterprise.adobe.com',
+  'www.stage.adobe.com',
   '*.services.adobe.com',
   'alb.reddit.com/rp.gif',
   'bat.bing.com/action/',
@@ -168,6 +169,7 @@ const scriptSrc = [
   '\'self\'',
   '\'unsafe-inline\'',
   '\'unsafe-eval\'',
+  'CCb6zi09JRQ6b1z1',
   '*.adobe.com',
   '*.clarity.ms',
   'accounts.google.com/gsi/client',

acrobat/scripts/contentSecurityPolicy/prod.js

@@ -8,6 +8,7 @@ const connectSrc = [
   '\'self\'',
   'blob:',
   '14257-chimera.adobeioruntime.net',
+  'www.adobe.com',
   '*.adobe.com',
   'prod.adobeccstatic.com',
   '*.clicktale.net/',
@@ -114,6 +115,7 @@ const frameSrc = [
   'ui.messaging.adobe.com/',
   'acrobatservices.adobe.com',
   'auth-light.identity.adobe.com',
+  'pixel.everesttech.net',
   ';',
 ];
 
@@ -181,6 +183,7 @@ const scriptSrc = [
   '\'self\'',
   '\'unsafe-inline\'',
   '\'unsafe-eval\'',
+  'www.adobe.com',
   '*.adobe.com',
   '*.clarity.ms',
   'accounts.google.com/gsi/client',

acrobat/scripts/contentSecurityPolicy/stage.js

@@ -27,6 +27,7 @@ const connectSrc = [
   'adobeioruntime.net',
   'adobesearch-stage.adobe.io',
   'analytics.tiktok.com',
+  'api.company-target.com',
   'api.company-target.com/api/v2/',
   'api.iperceptions.com',
   'bat.bing.com/',
@@ -55,6 +56,7 @@ const connectSrc = [
   '*.aem.live',
   'cdn.linkedin.oribi.io',
   '*.akstat.io/',
+  'www.facebook.com',
   'facebook.com',
   'px.ads.linkedin.com',
   'tr6.snapchat.com',
@@ -180,6 +182,7 @@ const scriptSrc = [
   '\'self\'',
   '\'unsafe-inline\'',
   '\'unsafe-eval\'',
+  'www.stage.adobe.com',
   '*.adobe.com',
   '*.clarity.ms',
   'accounts.google.com/gsi/client',
@@ -234,7 +237,7 @@ const scriptSrc = [
   'tr.snapchat.com/',
   'universal.iperceptions.com',
   'use.typekit.net',
-  'www.everestjs.net/static/le/',
+  'www.everestjs.net',
   'www.facebook.com',
   'www.google.com',
   'www.googletagmanager.com',

test/scripts/contentSecurityPolicy/csp.test.js

@@ -1,9 +1,6 @@
 import { expect } from '@esm-bundle/chai';
-import * as sinon from 'sinon';
 
-const { default: ContentSecurityPolicy } = await import(
-  '../../../acrobat/scripts/contentSecurityPolicy/csp'
-);
+const { default: ContentSecurityPolicy } = await import('../../../acrobat/scripts/contentSecurityPolicy/csp.js');
 
 describe('contentSecurityPolicy csp', () => {
   it('handles securitypolicyviolation event', async () => {
@@ -13,7 +10,7 @@ describe('contentSecurityPolicy csp', () => {
     event.violatedDirective = 'test';
     document.dispatchEvent(event);
     expect(window.cspErrors[0]).to.eql(
-      `${event.violatedDirective} violation ¶ Refused to load content from ${event.blockedURI}`
+      `${event.violatedDirective} violation ¶ Refused to load content from ${event.blockedURI}, Script location: ${event.sourceFile} Line: ${event.lineNumber} Column: ${event.columnNumber}`,
     );
   });
 });