doesn't allow an ajax call to api gateway

[JonnyOrtiz-source]

I updated the content security policy in index.js to allow an api gateway invoke url as a connect-src but it blocks it. I changed the default-src to * and tried again but it still blocks it. Here's an example of the csp:

headers['content-security-policy'] = [ { key: 'Content-Security-Policy', value: "frame-ancestors 'self'; block-all-mixed-content; default-src *; script-src 'self'; style-src 'self'; object-src 'self'; frame-src 'self'; child-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; manifest-src 'self'; base-uri 'self'; form-action 'self'; media-src 'self'; prefetch-src 'self'; worker-src 'self';", },

[ConnorKirk]

Hi Jonny, Can you give an example of the Content Security Policy that wasn't working for you?

Here's an example of a policy that allows connection to API Gateway and Cognito

"content-security-policy": [
            {
                key: "Content-Security-Policy",
                value: "default-src 'none'; connect-src https://*.execute-api.eu-central-1.amazonaws.com https://*.auth.eu-central-1.amazoncognito.com",
            },
        ],

[JonnyOrtiz-source]

Hi Connor. Here’s the last iteration of the CSP I tried before giving up:

{ key: 'Content-Security-Policy', value: "frame-ancestors 'self'; block-all-mixed-content; default-src *; script-src 'self'; style-src 'self'; object-src 'self'; frame-src 'self'; child-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self' https://ovvpbdmxqd.execute-api.us-east-1.amazonaws.com/prod/contactus; manifest-src 'self'; base-uri 'self'; form-action 'self'; media-src 'self'; prefetch-src 'self'; worker-src 'self';", }

On Sep 13, 2021, at 4:30 AM, Connor Kirkpatrick @.***> wrote:

Hi Jonny, Can you give an example of the Content Security Policy that wasn't working for you?

Here's an example of a policy that allows connection to API Gateway and Cognito

"content-security-policy": [ { key: "Content-Security-Policy", value: "default-src 'none'; connect-src https://*.execute-api.eu-central-1.amazonaws.com https://*.auth.eu-central-1.amazoncognito.com; font-src data:; img-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self'", }, ], — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/aws-samples/amazon-cloudfront-secure-static-site/issues/38#issuecomment-917962936, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQ5B566GBLQNZDO6IINOSMTUBWZEHANCNFSM5DXWV7EA. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[ConnorKirk]

Thanks for the example Jonny. I can't spot an obvious problem with the CSP. One suggestion is to try removing the path in the connect-src. The CSP standard expects a domain, rather than a full URL.

i.e. Domain: https://ovvpbdmxqd.execute-api.us-east-1.amazonaws.com/ URL: https://ovvpbdmxqd.execute-api.us-east-1.amazonaws.com/prod/contactus

Updated CSP

{
            key: 'Content-Security-Policy',
            value: "frame-ancestors 'self'; block-all-mixed-content; default-src *; script-src 'self'; style-src 'self'; object-src 'self'; frame-src 'self'; child-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self' https://ovvpbdmxqd.execute-api.us-east-1.amazonaws.com/; manifest-src 'self'; base-uri 'self'; form-action 'self'; media-src 'self'; prefetch-src 'self'; worker-src 'self';",
}