Merge pull request #352 from weni-ai/nexus-1618-csp-settings

[Nexus-1618] Content-Security-Policy Setup and Updates Hotjar Setup
weni-ai · Jul 19, 2024 · 821b324 · 821b324
2 parents 6cf6c8d + 086cba8
commit 821b324
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 34 deletions.
diff --git a/nginx.conf b/nginx.conf
@@ -24,6 +24,16 @@ http {
   access_log                    /dev/stdout main;
 
   server {
+    set $CSP_DEFAULT "default-src 'self'";
+    set $CSP_SCRIPT "script-src 'self' 'unsafe-eval' 'unsafe-inline' www.googletagmanager.com static.hotjar.com www.google-analytics.com";
+    set $CSP_FONT "font-src 'self' fonts.gstatic.com";
+    set $CSP_STYLE "style-src 'self' 'unsafe-hashes' 'unsafe-inline' ilhasoft.com.br fonts.googleapis.com";
+    set $CSP_IMAGE "img-src 'self' data: www.google-analytics.com www.google.com.br www.googletagmanager.com *.amazonaws.com";
+    set $CSP_CONNECT "connect-src 'self' *.weni.ai www.google-analytics.com analytics.google.com";
+    set $CSP_FRAME_ANCESTORS "frame-ancestors 'self' *.weni.ai";
+
+    add_header Content-Security-Policy "${CSP_DEFAULT}; ${CSP_SCRIPT}; ${CSP_STYLE}; ${CSP_FONT}; ${CSP_IMAGE}; ${CSP_CONNECT}; ${CSP_FRAME_ANCESTORS};";
+
     listen                      8080;
     server_name                 localhost;
     client_max_body_size        32m;

diff --git a/public/index.html b/public/index.html
@@ -9,7 +9,7 @@
     gtag('js', new Date());
     gtag('config', 'UA-37784957-5');
   </script>
-  <script src="/config.js?force-reload"></script>
+  <script src="/config.js?force-reload-2"></script>
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width,initial-scale=1.0">
   <meta name="msapplication-TileColor" content="#00d1b2">
@@ -19,6 +19,17 @@
   <link rel="manifest" href="manifest.json">
   <link rel="stylesheet" href="https://ilhasoft.com.br/newcodes/bothub/pushwidget-bothub.css">
   <title>Weni</title>
+
+  <script>
+    (function(h,o,t,j,a,r){
+        h.hj=h.hj||function(){(h.hj.q=h.hj.q||[]).push(arguments)};
+        h._hjSettings={hjid:runtimeVariables.get('VUE_APP_BOTHUB_WEBAPP_HOTJAR_ID'),hjsv:6};
+        a=o.getElementsByTagName('head')[0];
+        r=o.createElement('script');r.async=1;
+        r.src=t+h._hjSettings.hjid+j+h._hjSettings.hjsv;
+        a.appendChild(r);
+    })(window,document,'https://static.hotjar.com/c/hotjar-','.js?sv=');
+  </script>
 </head>
 
 <body>

diff --git a/src/App.vue b/src/App.vue
@@ -32,7 +32,6 @@
 <script>
 import { mapGetters, mapActions } from 'vuex';
 import NewsModal from '@/components/NewsModal';
-import hotjar from '@/utils/plugins/hotjar';
 import I18n from '@/utils/plugins/i18n';
 import store from './store';
 import ModalDependingOnFlowsLength from './components/ModalDependingOnFlowsLength';
@@ -84,7 +83,6 @@ export default {
   },
   mounted() {
     document.title = this.dynamicTitle;
-    hotjar.addHotjar();
     this.safariDetected();
     this.profileInfo();
     window.parent.postMessage(

diff --git a/src/utils/plugins/hotjar.js b/src/utils/plugins/hotjar.js