From 0e92afc7ef0bb92f10c4326abeeaec0473ac14ec Mon Sep 17 00:00:00 2001
From: Maximilian Oertel <info@maximilianoertel.de>
Date: Fri, 24 Jan 2025 15:52:33 +0000
Subject: [PATCH 1/7] Update img-src CSP

---
 firebase.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/firebase.json b/firebase.json
index 714376932..24397293a 100644
--- a/firebase.json
+++ b/firebase.json
@@ -26,7 +26,7 @@
           "headers": [
             {
               "key": "Content-Security-Policy-Report-Only",
-              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin-dev.cloudfunctions.net https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin-dev.firebaseapp.com/ https://gse-roar-assessment-dev.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=staging; report-to csp-endpoint"
+              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://storage.googleapis.com/roar-swr/ https://raw.githubusercontent.com/yeatmanlab/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin-dev.cloudfunctions.net https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin-dev.firebaseapp.com/ https://gse-roar-assessment-dev.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=staging; report-to csp-endpoint"
             },
             {
               "key": "Report-To",
@@ -74,7 +74,7 @@
           "headers": [
             {
               "key": "Content-Security-Policy-Report-Only",
-              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin.cloudfunctions.net https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin.firebaseapp.com/ https://gse-roar-assessment.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=production; report-to csp-endpoint"
+              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://storage.googleapis.com/roar-swr/ https://raw.githubusercontent.com/yeatmanlab/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin.cloudfunctions.net https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin.firebaseapp.com/ https://gse-roar-assessment.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=production; report-to csp-endpoint"
             },
             {
               "key": "Report-To",

From eaea3899d573805b32147a231632843bbbb8dba2 Mon Sep 17 00:00:00 2001
From: Maximilian Oertel <info@maximilianoertel.de>
Date: Fri, 24 Jan 2025 15:58:04 +0000
Subject: [PATCH 2/7] Fix cloud functions host CSP

---
 firebase.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/firebase.json b/firebase.json
index 24397293a..8c8df71f3 100644
--- a/firebase.json
+++ b/firebase.json
@@ -26,7 +26,7 @@
           "headers": [
             {
               "key": "Content-Security-Policy-Report-Only",
-              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://storage.googleapis.com/roar-swr/ https://raw.githubusercontent.com/yeatmanlab/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin-dev.cloudfunctions.net https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin-dev.firebaseapp.com/ https://gse-roar-assessment-dev.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=staging; report-to csp-endpoint"
+              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://storage.googleapis.com/roar-swr/ https://raw.githubusercontent.com/yeatmanlab/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin-dev.cloudfunctions.net/ https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin-dev.firebaseapp.com/ https://gse-roar-assessment-dev.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=staging; report-to csp-endpoint"
             },
             {
               "key": "Report-To",
@@ -74,7 +74,7 @@
           "headers": [
             {
               "key": "Content-Security-Policy-Report-Only",
-              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://storage.googleapis.com/roar-swr/ https://raw.githubusercontent.com/yeatmanlab/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin.cloudfunctions.net https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin.firebaseapp.com/ https://gse-roar-assessment.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=production; report-to csp-endpoint"
+              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://storage.googleapis.com/roar-swr/ https://raw.githubusercontent.com/yeatmanlab/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin.cloudfunctions.net/ https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin.firebaseapp.com/ https://gse-roar-assessment.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=production; report-to csp-endpoint"
             },
             {
               "key": "Report-To",

From 04f9ecbb01b5ab03f2f80a59c517abacc985a33c Mon Sep 17 00:00:00 2001
From: Adam Richie-Halford <richford@users.noreply.github.com>
Date: Mon, 27 Jan 2025 12:28:42 -0800
Subject: [PATCH 3/7] Update firebase.json

---
 firebase.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/firebase.json b/firebase.json
index 8c8df71f3..3044b855a 100644
--- a/firebase.json
+++ b/firebase.json
@@ -26,7 +26,7 @@
           "headers": [
             {
               "key": "Content-Security-Policy-Report-Only",
-              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://storage.googleapis.com/roar-swr/ https://raw.githubusercontent.com/yeatmanlab/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin-dev.cloudfunctions.net/ https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin-dev.firebaseapp.com/ https://gse-roar-assessment-dev.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=staging; report-to csp-endpoint"
+              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/road-dashboard/ https://raw.githubusercontent.com/yeatmanlab/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin-dev.cloudfunctions.net/ https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin-dev.firebaseapp.com/ https://gse-roar-assessment-dev.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=staging; report-to csp-endpoint"
             },
             {
               "key": "Report-To",

From 53ae8d8bb070f1d5db23a7eb77593baf3ac3142f Mon Sep 17 00:00:00 2001
From: Adam Richie-Halford <richford@users.noreply.github.com>
Date: Mon, 27 Jan 2025 12:28:47 -0800
Subject: [PATCH 4/7] Update firebase.json

---
 firebase.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/firebase.json b/firebase.json
index 3044b855a..2f9e46691 100644
--- a/firebase.json
+++ b/firebase.json
@@ -74,7 +74,7 @@
           "headers": [
             {
               "key": "Content-Security-Policy-Report-Only",
-              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://storage.googleapis.com/roar-swr/ https://raw.githubusercontent.com/yeatmanlab/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin.cloudfunctions.net/ https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin.firebaseapp.com/ https://gse-roar-assessment.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=production; report-to csp-endpoint"
+              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/road-dashboard/ https://raw.githubusercontent.com/yeatmanlab/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin.cloudfunctions.net/ https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin.firebaseapp.com/ https://gse-roar-assessment.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=production; report-to csp-endpoint"
             },
             {
               "key": "Report-To",

From 33c4be8e7066da834f2d92051061e80a229121ef Mon Sep 17 00:00:00 2001
From: emily-ejag <emily.artegar@gmail.com>
Date: Thu, 30 Jan 2025 13:44:16 -0800
Subject: [PATCH 5/7] increasing time for ci build

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5cd252b8e..69ebacdca 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -72,7 +72,7 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 10
 
     steps:
       - name: Checkout repository

From f31895ac06706cb4ae7856d2441adeae23eb2b17 Mon Sep 17 00:00:00 2001
From: Maximilian Oertel <info@maximilianoertel.de>
Date: Fri, 31 Jan 2025 22:36:35 +0100
Subject: [PATCH 6/7] Add buckets to img-src and media-src CSP

---
 firebase.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/firebase.json b/firebase.json
index a1f59d495..1b40f533c 100644
--- a/firebase.json
+++ b/firebase.json
@@ -26,7 +26,7 @@
           "headers": [
             {
               "key": "Content-Security-Policy-Report-Only",
-              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/katex@0.16.8/ https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://storage.googleapis.com/roam-apps/ https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/road-dashboard/ https://raw.githubusercontent.com/yeatmanlab/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin-dev.cloudfunctions.net/ https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin-dev.firebaseapp.com/ https://gse-roar-assessment-dev.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=staging; report-to csp-endpoint"
+              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/katex@0.16.8/ https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://storage.googleapis.com/roam-apps/ https://storage.googleapis.com/roam-fluency/ https://storage.googleapis.com/roar-ak/ https://storage.googleapis.com/roar-anb/ https://storage.googleapis.com/roar-inference/ https://storage.googleapis.com/roar-mep/ https://storage.googleapis.com/roar-mp/ https://storage.googleapis.com/roar-pa/ https://storage.googleapis.com/roar-phonics/ https://storage.googleapis.com/roar-shape/ https://storage.googleapis.com/roar-sre/ https://storage.googleapis.com/roar-survey/ https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/roar-vocab/ https://storage.googleapis.com/roav-crowding/ https://storage.googleapis.com/roav-mep/ https://storage.googleapis.com/roav-ran/ https://storage.googleapis.com/trog/ https://storage.googleapis.com/road-dashboard/ https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://raw.githubusercontent.com/yeatmanlab/; media-src https://storage.googleapis.com/roam-apps/ https://storage.googleapis.com/roam-fluency/ https://storage.googleapis.com/roar-ak/ https://storage.googleapis.com/roar-anb/ https://storage.googleapis.com/roar-inference/ https://storage.googleapis.com/roar-mep/ https://storage.googleapis.com/roar-mp/ https://storage.googleapis.com/roar-pa/ https://storage.googleapis.com/roar-phonics/ https://storage.googleapis.com/roar-shape/ https://storage.googleapis.com/roar-sre/ https://storage.googleapis.com/roar-survey/ https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/roar-vocab/ https://storage.googleapis.com/roav-crowding/ https://storage.googleapis.com/roav-mep/ https://storage.googleapis.com/roav-ran/ https://storage.googleapis.com/trog/ https://storage.googleapis.com/road-dashboard/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin-dev.cloudfunctions.net/ https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin-dev.firebaseapp.com/ https://gse-roar-assessment-dev.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=staging; report-to csp-endpoint"
             },
             {
               "key": "Report-To",
@@ -74,7 +74,7 @@
           "headers": [
             {
               "key": "Content-Security-Policy-Report-Only",
-              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/katex@0.16.8/ https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://storage.googleapis.com/roam-apps/ https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/road-dashboard/ https://raw.githubusercontent.com/yeatmanlab/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin.cloudfunctions.net/ https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin.firebaseapp.com/ https://gse-roar-assessment.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=production; report-to csp-endpoint"
+              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/katex@0.16.8/ https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://storage.googleapis.com/roam-apps/ https://storage.googleapis.com/roam-fluency/ https://storage.googleapis.com/roar-ak/ https://storage.googleapis.com/roar-anb/ https://storage.googleapis.com/roar-inference/ https://storage.googleapis.com/roar-mep/ https://storage.googleapis.com/roar-mp/ https://storage.googleapis.com/roar-pa/ https://storage.googleapis.com/roar-phonics/ https://storage.googleapis.com/roar-shape/ https://storage.googleapis.com/roar-sre/ https://storage.googleapis.com/roar-survey/ https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/roar-vocab/ https://storage.googleapis.com/roav-crowding/ https://storage.googleapis.com/roav-mep/ https://storage.googleapis.com/roav-ran/ https://storage.googleapis.com/trog/ https://storage.googleapis.com/road-dashboard/ https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://raw.githubusercontent.com/yeatmanlab/; media-src https://storage.googleapis.com/roam-apps/ https://storage.googleapis.com/roam-fluency/ https://storage.googleapis.com/roar-ak/ https://storage.googleapis.com/roar-anb/ https://storage.googleapis.com/roar-inference/ https://storage.googleapis.com/roar-mep/ https://storage.googleapis.com/roar-mp/ https://storage.googleapis.com/roar-pa/ https://storage.googleapis.com/roar-phonics/ https://storage.googleapis.com/roar-shape/ https://storage.googleapis.com/roar-sre/ https://storage.googleapis.com/roar-survey/ https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/roar-vocab/ https://storage.googleapis.com/roav-crowding/ https://storage.googleapis.com/roav-mep/ https://storage.googleapis.com/roav-ran/ https://storage.googleapis.com/trog/ https://storage.googleapis.com/road-dashboard/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin.cloudfunctions.net/ https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin.firebaseapp.com/ https://gse-roar-assessment.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=production; report-to csp-endpoint"
             },
             {
               "key": "Report-To",

From 1601b8f8e16f40a1bb5dc5cd0c04e1c75e1dd495 Mon Sep 17 00:00:00 2001
From: Maximilian Oertel <info@maximilianoertel.de>
Date: Tue, 4 Feb 2025 13:54:46 +0100
Subject: [PATCH 7/7] Remove deprecatd roam-fluency bucket

---
 firebase.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/firebase.json b/firebase.json
index 1b40f533c..1a0926602 100644
--- a/firebase.json
+++ b/firebase.json
@@ -26,7 +26,7 @@
           "headers": [
             {
               "key": "Content-Security-Policy-Report-Only",
-              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/katex@0.16.8/ https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://storage.googleapis.com/roam-apps/ https://storage.googleapis.com/roam-fluency/ https://storage.googleapis.com/roar-ak/ https://storage.googleapis.com/roar-anb/ https://storage.googleapis.com/roar-inference/ https://storage.googleapis.com/roar-mep/ https://storage.googleapis.com/roar-mp/ https://storage.googleapis.com/roar-pa/ https://storage.googleapis.com/roar-phonics/ https://storage.googleapis.com/roar-shape/ https://storage.googleapis.com/roar-sre/ https://storage.googleapis.com/roar-survey/ https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/roar-vocab/ https://storage.googleapis.com/roav-crowding/ https://storage.googleapis.com/roav-mep/ https://storage.googleapis.com/roav-ran/ https://storage.googleapis.com/trog/ https://storage.googleapis.com/road-dashboard/ https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://raw.githubusercontent.com/yeatmanlab/; media-src https://storage.googleapis.com/roam-apps/ https://storage.googleapis.com/roam-fluency/ https://storage.googleapis.com/roar-ak/ https://storage.googleapis.com/roar-anb/ https://storage.googleapis.com/roar-inference/ https://storage.googleapis.com/roar-mep/ https://storage.googleapis.com/roar-mp/ https://storage.googleapis.com/roar-pa/ https://storage.googleapis.com/roar-phonics/ https://storage.googleapis.com/roar-shape/ https://storage.googleapis.com/roar-sre/ https://storage.googleapis.com/roar-survey/ https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/roar-vocab/ https://storage.googleapis.com/roav-crowding/ https://storage.googleapis.com/roav-mep/ https://storage.googleapis.com/roav-ran/ https://storage.googleapis.com/trog/ https://storage.googleapis.com/road-dashboard/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin-dev.cloudfunctions.net/ https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin-dev.firebaseapp.com/ https://gse-roar-assessment-dev.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=staging; report-to csp-endpoint"
+              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/katex@0.16.8/ https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://storage.googleapis.com/roam-apps/ https://storage.googleapis.com/roar-ak/ https://storage.googleapis.com/roar-anb/ https://storage.googleapis.com/roar-inference/ https://storage.googleapis.com/roar-mep/ https://storage.googleapis.com/roar-mp/ https://storage.googleapis.com/roar-pa/ https://storage.googleapis.com/roar-phonics/ https://storage.googleapis.com/roar-shape/ https://storage.googleapis.com/roar-sre/ https://storage.googleapis.com/roar-survey/ https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/roar-vocab/ https://storage.googleapis.com/roav-crowding/ https://storage.googleapis.com/roav-mep/ https://storage.googleapis.com/roav-ran/ https://storage.googleapis.com/trog/ https://storage.googleapis.com/road-dashboard/ https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://raw.githubusercontent.com/yeatmanlab/; media-src https://storage.googleapis.com/roam-apps/ https://storage.googleapis.com/roar-ak/ https://storage.googleapis.com/roar-anb/ https://storage.googleapis.com/roar-inference/ https://storage.googleapis.com/roar-mep/ https://storage.googleapis.com/roar-mp/ https://storage.googleapis.com/roar-pa/ https://storage.googleapis.com/roar-phonics/ https://storage.googleapis.com/roar-shape/ https://storage.googleapis.com/roar-sre/ https://storage.googleapis.com/roar-survey/ https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/roar-vocab/ https://storage.googleapis.com/roav-crowding/ https://storage.googleapis.com/roav-mep/ https://storage.googleapis.com/roav-ran/ https://storage.googleapis.com/trog/ https://storage.googleapis.com/road-dashboard/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin-dev.cloudfunctions.net/ https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin-dev.firebaseapp.com/ https://gse-roar-assessment-dev.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=staging; report-to csp-endpoint"
             },
             {
               "key": "Report-To",
@@ -74,7 +74,7 @@
           "headers": [
             {
               "key": "Content-Security-Policy-Report-Only",
-              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/katex@0.16.8/ https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://storage.googleapis.com/roam-apps/ https://storage.googleapis.com/roam-fluency/ https://storage.googleapis.com/roar-ak/ https://storage.googleapis.com/roar-anb/ https://storage.googleapis.com/roar-inference/ https://storage.googleapis.com/roar-mep/ https://storage.googleapis.com/roar-mp/ https://storage.googleapis.com/roar-pa/ https://storage.googleapis.com/roar-phonics/ https://storage.googleapis.com/roar-shape/ https://storage.googleapis.com/roar-sre/ https://storage.googleapis.com/roar-survey/ https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/roar-vocab/ https://storage.googleapis.com/roav-crowding/ https://storage.googleapis.com/roav-mep/ https://storage.googleapis.com/roav-ran/ https://storage.googleapis.com/trog/ https://storage.googleapis.com/road-dashboard/ https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://raw.githubusercontent.com/yeatmanlab/; media-src https://storage.googleapis.com/roam-apps/ https://storage.googleapis.com/roam-fluency/ https://storage.googleapis.com/roar-ak/ https://storage.googleapis.com/roar-anb/ https://storage.googleapis.com/roar-inference/ https://storage.googleapis.com/roar-mep/ https://storage.googleapis.com/roar-mp/ https://storage.googleapis.com/roar-pa/ https://storage.googleapis.com/roar-phonics/ https://storage.googleapis.com/roar-shape/ https://storage.googleapis.com/roar-sre/ https://storage.googleapis.com/roar-survey/ https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/roar-vocab/ https://storage.googleapis.com/roav-crowding/ https://storage.googleapis.com/roav-mep/ https://storage.googleapis.com/roav-ran/ https://storage.googleapis.com/trog/ https://storage.googleapis.com/road-dashboard/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin.cloudfunctions.net/ https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin.firebaseapp.com/ https://gse-roar-assessment.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=production; report-to csp-endpoint"
+              "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.googleapis.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://browser.sentry-cdn.com https://js.sentry-cdn.com blob:; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/katex@0.16.8/ https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' data: https://storage.googleapis.com/roam-apps/ https://storage.googleapis.com/roar-ak/ https://storage.googleapis.com/roar-anb/ https://storage.googleapis.com/roar-inference/ https://storage.googleapis.com/roar-mep/ https://storage.googleapis.com/roar-mp/ https://storage.googleapis.com/roar-pa/ https://storage.googleapis.com/roar-phonics/ https://storage.googleapis.com/roar-shape/ https://storage.googleapis.com/roar-sre/ https://storage.googleapis.com/roar-survey/ https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/roar-vocab/ https://storage.googleapis.com/roav-crowding/ https://storage.googleapis.com/roav-mep/ https://storage.googleapis.com/roav-ran/ https://storage.googleapis.com/trog/ https://storage.googleapis.com/road-dashboard/ https://*.googletagmanager.com https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://raw.githubusercontent.com/yeatmanlab/; media-src https://storage.googleapis.com/roam-apps/ https://storage.googleapis.com/roar-ak/ https://storage.googleapis.com/roar-anb/ https://storage.googleapis.com/roar-inference/ https://storage.googleapis.com/roar-mep/ https://storage.googleapis.com/roar-mp/ https://storage.googleapis.com/roar-pa/ https://storage.googleapis.com/roar-phonics/ https://storage.googleapis.com/roar-shape/ https://storage.googleapis.com/roar-sre/ https://storage.googleapis.com/roar-survey/ https://storage.googleapis.com/roar-swr/ https://storage.googleapis.com/roar-vocab/ https://storage.googleapis.com/roav-crowding/ https://storage.googleapis.com/roav-mep/ https://storage.googleapis.com/roav-ran/ https://storage.googleapis.com/trog/ https://storage.googleapis.com/road-dashboard/; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://firestore.googleapis.com https://identitytoolkit.googleapis.com https://raw.githubusercontent.com/yeatmanlab/ https://us-central1-gse-roar-admin.cloudfunctions.net/ https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.sentry.io; frame-src 'self' https://roar.education https://gse-roar-admin.firebaseapp.com/ https://gse-roar-assessment.firebaseapp.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/; frame-ancestors 'none'; report-uri https://o4505913837420544.ingest.us.sentry.io/api/4506820782129152/security/?sentry_key=f15e3ff866394e93e00514b42113d03d&sentry_environment=production; report-to csp-endpoint"
             },
             {
               "key": "Report-To",