scrapboxのcsp
code:header
HTTP/1.1 200 OK
Server: Cowboy
Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":"Via"} Connection: keep-alive
Strict-Transport-Security: max-age=63072000; preload
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Content-Security-Policy: connect-src 'self' i.gyazo.com t.gyazo.com wss://scrapbox.io api.openai.com *.openai.azure.com maps.googleapis.com bedrock.ap-northeast-1.amazonaws.com bedrock-runtime.ap-northeast-1.amazonaws.com bedrock-agent.ap-northeast-1.amazonaws.com bedrock-agent-runtime.ap-northeast-1.amazonaws.com https://upload.gyazo.com https://storage.googleapis.com https://sentry.io; default-src 'self'; font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com; frame-src 'self' www.google.com www.youtube.com player.vimeo.com anchor.fm podcasters.spotify.com embed-standalone.spotify.com gyazo.com *.gyazo.com dashboard.helpfeel.com js.stripe.com; img-src * data: blob:; media-src *; script-src 'self' cdnjs.cloudflare.com maps.googleapis.com 'unsafe-eval' helpfeel-tweaks.helpfeel.com js.stripe.com www.google.com www.gstatic.com; style-src 'self' fonts.googleapis.com cdnjs.cloudflare.com 'unsafe-inline'; worker-src 'self'; form-action 'self'; upgrade-insecure-requests X-Content-Security-Policy: connect-src 'self' i.gyazo.com t.gyazo.com wss://scrapbox.io api.openai.com *.openai.azure.com maps.googleapis.com bedrock.ap-northeast-1.amazonaws.com bedrock-runtime.ap-northeast-1.amazonaws.com bedrock-agent.ap-northeast-1.amazonaws.com bedrock-agent-runtime.ap-northeast-1.amazonaws.com https://upload.gyazo.com https://storage.googleapis.com https://sentry.io; default-src 'self'; font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com; frame-src 'self' www.google.com www.youtube.com player.vimeo.com anchor.fm podcasters.spotify.com embed-standalone.spotify.com gyazo.com *.gyazo.com dashboard.helpfeel.com js.stripe.com; img-src * data: blob:; media-src *; script-src 'self' cdnjs.cloudflare.com maps.googleapis.com 'unsafe-eval' helpfeel-tweaks.helpfeel.com js.stripe.com www.google.com www.gstatic.com; style-src 'self' fonts.googleapis.com cdnjs.cloudflare.com 'unsafe-inline'; worker-src 'self'; form-action 'self'; upgrade-insecure-requests X-Webkit-Csp: connect-src 'self' i.gyazo.com t.gyazo.com wss://scrapbox.io api.openai.com *.openai.azure.com maps.googleapis.com bedrock.ap-northeast-1.amazonaws.com bedrock-runtime.ap-northeast-1.amazonaws.com bedrock-agent.ap-northeast-1.amazonaws.com bedrock-agent-runtime.ap-northeast-1.amazonaws.com https://upload.gyazo.com https://storage.googleapis.com https://sentry.io; default-src 'self'; font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com; frame-src 'self' www.google.com www.youtube.com player.vimeo.com anchor.fm podcasters.spotify.com embed-standalone.spotify.com gyazo.com *.gyazo.com dashboard.helpfeel.com js.stripe.com; img-src * data: blob:; media-src *; script-src 'self' cdnjs.cloudflare.com maps.googleapis.com 'unsafe-eval' helpfeel-tweaks.helpfeel.com js.stripe.com www.google.com www.gstatic.com; style-src 'self' fonts.googleapis.com cdnjs.cloudflare.com 'unsafe-inline'; worker-src 'self'; form-action 'self'; upgrade-insecure-requests X-Assets-Version: assets-20241123-192242
Content-Type: text/html; charset=utf-8
Content-Length: 5968
Etag: W/"1750-LViSML1PsNCvmKXgpcK4a0h/ETg"
Vary: Accept-Encoding
Set-Cookie: connect.sid=s%3ADRkQibBuWln8e09n5bK82cwjEMa7GdMO.PeeRk5IBvefBH77uHL2ZeWlAbJyP%2Bq3XUJh9C9VpsU0; Path=/; Expires=Fri, 24 Jan 2025 08:06:41 GMT; HttpOnly; Secure
Date: Mon, 25 Nov 2024 08:06:41 GMT
Via: 1.1 vegur
curlで特にconnect.sid設定などせずに書いたのでヘッダー全部のせて大丈夫なはず
ログイン前からsid発行するんだ
これがCSP
code:csp
Content-Security-Policy: connect-src 'self' i.gyazo.com t.gyazo.com wss://scrapbox.io api.openai.com *.openai.azure.com maps.googleapis.com bedrock.ap-northeast-1.amazonaws.com bedrock-runtime.ap-northeast-1.amazonaws.com bedrock-agent.ap-northeast-1.amazonaws.com bedrock-agent-runtime.ap-northeast-1.amazonaws.com https://upload.gyazo.com https://storage.googleapis.com https://sentry.io; default-src 'self'; font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com; frame-src 'self' www.google.com www.youtube.com player.vimeo.com anchor.fm podcasters.spotify.com embed-standalone.spotify.com gyazo.com *.gyazo.com dashboard.helpfeel.com js.stripe.com; img-src * data: blob:; media-src *; script-src 'self' cdnjs.cloudflare.com maps.googleapis.com 'unsafe-eval' helpfeel-tweaks.helpfeel.com js.stripe.com www.google.com www.gstatic.com; style-src 'self' fonts.googleapis.com cdnjs.cloudflare.com 'unsafe-inline'; worker-src 'self'; form-action 'self'; upgrade-insecure-requests 分解する
Content-Security-Policy:
connect-src
'self'
i.gyazo.com
t.gyazo.com
wss://scrapbox.io
api.openai.com
*.openai.azure.com
maps.googleapis.com
bedrock.ap-northeast-1.amazonaws.com
bedrock-runtime.ap-northeast-1.amazonaws.com
bedrock-agent.ap-northeast-1.amazonaws.com
bedrock-agent-runtime.ap-northeast-1.amazonaws.com
default-src 'self';
font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com;
frame-src 'self'
www.google.com
www.youtube.com
player.vimeo.com
anchor.fm
podcasters.spotify.com
embed-standalone.spotify.com
gyazo.com
*.gyazo.com
dashboard.helpfeel.com
js.stripe.com;
img-src * data: blob:;
media-src *;
script-src 'self'
cdnjs.cloudflare.com
maps.googleapis.com
'unsafe-eval'
helpfeel-tweaks.helpfeel.com
js.stripe.com
www.google.com
www.gstatic.com;
style-src 'self' fonts.googleapis.com cdnjs.cloudflare.com 'unsafe-inline';
worker-src 'self';
form-action 'self';
upgrade-insecure-requests