The latest articles on DEV Community by TonyTheTonyToneTone (@tonyknibbmakarahealth). https://dev.to/tonyknibbmakarahealth https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F849941%2F90dbfc5a-660d-4a73-ae4e-98881725415b.png https://dev.to/tonyknibbmakarahealth en TonyTheTonyToneTone Fri, 22 Apr 2022 17:07:20 +0000 https://dev.to/tonyknibbmakarahealth/aws-amplify-and-cspcors-e9h https://dev.to/tonyknibbmakarahealth/aws-amplify-and-cspcors-e9h <p>After much wailing and gnashing of teeth, I finally got something that works in the AWS Custom Headers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">customHeaders</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s1">'</span><span class="s">**/*'</span> <span class="na">headers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Strict-Transport-Security'</span> <span class="na">value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">max-age=31536000;</span><span class="nv"> </span><span class="s">includeSubDomains'</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s1">'</span><span class="s">X-Frame-Options'</span> <span class="na">value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">SAMEORIGIN'</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s1">'</span><span class="s">X-XSS-Protection'</span> <span class="na">value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1;</span><span class="nv"> </span><span class="s">mode=block'</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s1">'</span><span class="s">X-Content-Type-Options'</span> <span class="na">value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">nosniff'</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Content-Security-Policy'</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">default-src</span><span class="nv"> </span><span class="s">'self'</span><span class="nv"> </span><span class="s">https://www.your-tld.co.uk;</span><span class="nv"> </span><span class="s">script-src</span><span class="nv"> </span><span class="s">'self'</span><span class="nv"> </span><span class="s">https://www.your-tld.co.uk</span><span class="nv"> </span><span class="s">'unsafe-inline'</span><span class="nv"> </span><span class="s">https://www.googletagmanager.com;</span><span class="nv"> </span><span class="s">connect-src</span><span class="nv"> </span><span class="s">'unsafe-inline'</span><span class="nv"> </span><span class="s">https://analytics.google.com;</span><span class="nv"> </span><span class="s">img-src</span><span class="nv"> </span><span class="s">'unsafe-inline'</span><span class="nv"> </span><span class="s">https://www.googletagmanager.com</span><span class="nv"> </span><span class="s">'self'</span><span class="nv"> </span><span class="s">https://www.your-tld.co.uk</span><span class="nv"> </span><span class="s">'unsafe-inline'</span><span class="nv"> </span><span class="s">https://i.vimeocdn.com</span><span class="nv"> </span><span class="s">'self'</span><span class="nv"> </span><span class="s">data:;</span><span class="nv"> </span><span class="s">media-src</span><span class="nv"> </span><span class="s">'unsafe-inline'</span><span class="nv"> </span><span class="s">https://f.vimeocdn.com</span><span class="nv"> </span><span class="s">'unsafe-inline'</span><span class="nv"> </span><span class="s">https://i.vimeocdn.com;</span><span class="nv"> </span><span class="s">frame-src</span><span class="nv"> </span><span class="s">'unsafe-inline'</span><span class="nv"> </span><span class="s">https://player.vimeo.com"</span> </code></pre> </div> <p>This will allow Google Tag Manager, image src as data, and Vimeo videos playing in iframes. </p> <p>I hope it saves someone the hours it's taken me to find this solution... </p>