Which are the required rules to allow a Facebook login?
I currently allow these:
defaultSrc: ["'self'",
'*.facebook.com',
'*.akamaihd.net'],
scriptSrc: ["'self'",
'*.facebook.com',
'*.akamaihd.net',
"'unsafe-inline'",
"'unsafe-eval'"],
frameSrc: [
"'self'",
'*.facebook.com',
'*.akamaihd.net',
styleSrc: ["'self'",
"'unsafe-inline'"],
imgSrc: ["'self'",
'*.akamaihd.net',
'*.facebook.com']
I'm using just
{
'default-src': "'none'",
'script-src': "'self' 'unsafe-inline' 'unsafe-eval' connect.facebook.net",
'connect-src': "'self'",
'img-src': "'self' www.facebook.com",
'style-src': "'self' 'unsafe-inline'",
'frame-src': "s-static.ak.facebook.com static.ak.facebook.com www.facebook.com",
}
but I'm not sure if there's anything missing.
I don't think you'll need to allow *.akamaihd.net since this is just the CDN Facebook uses, and it is not required for Facebook Login.
Update: as stated on the comments below, this solution defeats the purpose of CSP and it's definitely not recommended as it's insecure.