Merge pull request #401 from sparcs-kaist/hotfix/channel-csp

injoonH · web-flow · commit 0fd620413a17 · 2023-09-15T18:21:33.000+09:00
Fix prod ChannelTalk errors
diff --git a/nginx/nginx-production.conf b/nginx/nginx-production.conf
@@ -5,23 +5,35 @@ server {
   server_name _;
 
   location / {
-    set $CSP "default-src 'self' 'unsafe-inline' newara.sparcs.org blob: ";              # Default rules for new-ara
-    set $CSP "${CSP}*.googleapis.com *.gstatic.com https://www.google-analytics.com ";   # Default rules for google fonts, google analytics
-    set $CSP "${CSP}https://analytics.google.com; ";                                     # Default rules for google analytics
-    set $CSP "${CSP}object-src 'self'; ";                                                # Disallow Objects
+    # See this link for more information about CSP
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+    # https://content-security-policy.com/
+    set $CSP "default-src 'self' 'unsafe-inline' newara.sparcs.org ";                   # Default rules for new-ara
+    set $CSP "${CSP}*.channel.io *.cdninstagram.com ";                                  # Default rules for channeltalk
+    set $CSP "${CSP}blob: *.googleapis.com *.gstatic.com ";                             # Default rules for google fonts, google analytics
+    set $CSP "${CSP}https://www.google-analytics.com https://analytics.google.com; ";   # Default rules for google analytics
+    
+    set $CSP "${CSP}object-src 'self'; ";                                               # Disallow Objects
+    set $CSP "${CSP}connect-src 'self' *.channel.io *.sentry.io wss://*.channel.io ";   # Connect rules for channeltalk (1/2)
+    set $CSP "${CSP}wss://*.desk-ws.channel.io wss://*.front-ws.channel.io ";           # Connect rules for channeltalk (2/2)
+    set $CSP "${CSP}https://www.google-analytics.com https://analytics.google.com; ";   # Connect rules for google analytics
+    
     set $CSP "${CSP}img-src * data: blob:; ";                                            # Image rules for new-ara (allow all, data, blobs)
+    
     set $CSP "${CSP}script-src 'self' ";                                                 # Script rules for new-ara
+    set $CSP "${CSP}*.channel.io *.sentry-cdn.com ";                                     # Script rules for channeltalk
     set $CSP "${CSP}*.googleapis.com https://www.google-analytics.com ";                 # Script rules for google analytics (1/3)
     set $CSP "${CSP}https://ssl.google-analytics.com https://www.googletagmanager.com "; # Script rules for google analytics (2/3)
-    set $CSP "${CSP}'sha512-e/cuSC5V9VDB1AUGqvPz2BwaJ2W83fduZ4RZjXHMtjQrLS0j06MAtFP//Iz9EL55MSm7SNBtyFYlDkmxdif/jg=='";
+    set $CSP "${CSP}'sha512-e/cuSC5V9VDB1AUGqvPz2BwaJ2W83fduZ4RZjXHMtjQrLS0j06MAtFP//Iz9EL55MSm7SNBtyFYlDkmxdif/jg=='; ";
                                                                                          # Script rules for google analytics (3/3)
                                                                                          # > From our inline script in index.html
-    set $CSP "${CSP}https://cdn.channel.io;";                                            # Script rules for channel
 
     add_header Content-Security-Policy $CSP always;
     add_header X-Content-Type-Options nosniff;
     add_header X-Frame-Options DENY;
     add_header X-XSS-Protection "1; mode=block";
+    add_header Strict-Transport-Security "max-age=31536000";
+    add_header Referrer-Policy "origin";
 
     root /usr/share/nginx/newara;
     try_files $uri $uri/ /index.html;
diff --git a/src/components/TheFooter.vue b/src/components/TheFooter.vue
@@ -65,12 +65,6 @@ export default {
     TermsPopup
   },
 
-  data () {
-    return {
-      isChannelOpen: false
-    }
-  },
-
   computed: {
     agreeTosAt () {
       return this.$store.state.auth.userProfile?.agree_terms_of_service_at
@@ -79,18 +73,13 @@ export default {
 
   methods: {
     openChannelService () {
-      this.isChannelOpen = !this.isChannelOpen
-      if (this.isChannelOpen) {
-        ChannelService.updateUser({
-          profile: {
-            name: this.$store.state.auth.userProfile?.nickname,
-            email: this.$store.state.auth.userProfile?.email
-          }
-        })
-        ChannelService.showMessenger()
-      } else {
-        ChannelService.hideMessenger()
-      }
+      ChannelService.updateUser({
+        profile: {
+          name: this.$store.state.auth.userProfile?.nickname,
+          email: this.$store.state.auth.userProfile?.email
+        }
+      })
+      ChannelService.showMessenger()
     }
   }
 }
