csp: report-only for now (#4029)

good call out @SomeHats!

### Change Type


<!--  Please select a 'Type' label ️ -->

- [ ] `feature` — New feature
- [ ] `improvement` — Product improvement
- [ ] `api` — API change
- [ ] `bugfix` — Bug fix
- [x] `other` — Changes that don't affect SDK users, e.g. internal or
.com changes


### Release Notes

- CSP: only do report-only for now until we're sure it's ok.
This commit is contained in:
Mime Čuvalo 2024-06-27 10:54:24 +01:00 committed by GitHub
parent 3d07262e20
commit 576426eba9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -37,7 +37,7 @@ const commonSecurityHeaders = {
'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload',
'X-Content-Type-Options': 'nosniff',
'Referrer-Policy': 'no-referrer-when-downgrade',
'Content-Security-Policy': csp,
'Content-Security-Policy-Report-Only': csp,
}
// We load the list of routes that should be forwarded to our SPA's index.html here.