DEV Community

TonyTheTonyToneTone
TonyTheTonyToneTone

Posted on

AWS Amplify and CSP/CORs

After much wailing and gnashing of teeth, I finally got something that works in the AWS Custom Headers:

customHeaders:
  - pattern: '**/*'
    headers:
      - key: 'Strict-Transport-Security'
        value: 'max-age=31536000; includeSubDomains'
      - key: 'X-Frame-Options'
        value: 'SAMEORIGIN'
      - key: 'X-XSS-Protection'
        value: '1; mode=block'
      - key: 'X-Content-Type-Options'
        value: 'nosniff'
      - key: 'Content-Security-Policy'
        value: "default-src 'self' https://www.your-tld.co.uk; script-src 'self' https://www.your-tld.co.uk 'unsafe-inline' https://www.googletagmanager.com; connect-src 'unsafe-inline' https://analytics.google.com; img-src 'unsafe-inline' https://www.googletagmanager.com 'self' https://www.your-tld.co.uk 'unsafe-inline' https://i.vimeocdn.com 'self' data:; media-src 'unsafe-inline' https://f.vimeocdn.com 'unsafe-inline' https://i.vimeocdn.com; frame-src 'unsafe-inline' https://player.vimeo.com"
Enter fullscreen mode Exit fullscreen mode

This will allow Google Tag Manager, image src as data, and Vimeo videos playing in iframes.

I hope it saves someone the hours it's taken me to find this solution...

Top comments (1)

Collapse
 
strifecloud profile image
strife-cloud

Lovely, thank you so much!