From 1f164e9b86253f5a4ad26a8e162ae50d4994e26a Mon Sep 17 00:00:00 2001
From: Connor Kirkpatrick <ckp@amazon.com>
Date: Thu, 3 Mar 2022 13:16:54 +0000
Subject: [PATCH] Add alternate bucket url to CSP

The bucket url used to access recordings in the UI differs in
format across regions
In us-east-1 it is https://${AudioBucket}.s3.amazonaws.com
In other regions it is https://${AudioBucket}.s3.${AWS::Region}.amazonaws.com

This commit adds the second format to the content security policy
---
 pca-ui/cfn/lib/web.template | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pca-ui/cfn/lib/web.template b/pca-ui/cfn/lib/web.template
index 7c48b9d6..e422c5a0 100644
--- a/pca-ui/cfn/lib/web.template
+++ b/pca-ui/cfn/lib/web.template
@@ -102,7 +102,9 @@ Resources:
         Name: !Sub "${AWS::StackName}-SecurityHeaders"
         SecurityHeadersConfig:
             ContentSecurityPolicy: 
-              ContentSecurityPolicy: !Sub "default-src 'none'; img-src 'self' https://${DataBucket}.s3.amazonaws.com data:; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; connect-src 'self' https://*.execute-api.${AWS::Region}.amazonaws.com https://*.auth.${AWS::Region}.amazoncognito.com; font-src data:;  media-src https://${AudioBucket}.s3.amazonaws.com; manifest-src 'self';"
+            # Cover both S3 URL types for media-src entries as it
+            # varies by region
+              ContentSecurityPolicy: !Sub "default-src 'none'; img-src 'self' https://${DataBucket}.s3.amazonaws.com https://${DataBucket}.s3.${AWS::Region}.amazonaws.com data:; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; connect-src 'self' https://*.execute-api.${AWS::Region}.amazonaws.com https://*.auth.${AWS::Region}.amazoncognito.com; font-src data:;  media-src https://${AudioBucket}.s3.amazonaws.com; manifest-src 'self';"
               Override: True
             ContentTypeOptions:               
               Override: True