From ab264e4f6255a03aa22275e4b296110987a04221 Mon Sep 17 00:00:00 2001
From: Cristen Jones <cjones3@mbta.com>
Date: Thu, 9 Jan 2025 15:16:50 -0500
Subject: [PATCH 1/4] hotfix: add CDN to the CSP connect directives

so that maplibre library can fetch and display these
---
 lib/dotcom_web/plugs/secure_headers.ex | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/dotcom_web/plugs/secure_headers.ex b/lib/dotcom_web/plugs/secure_headers.ex
index 1f75c25c10..5365b549ae 100644
--- a/lib/dotcom_web/plugs/secure_headers.ex
+++ b/lib/dotcom_web/plugs/secure_headers.ex
@@ -12,6 +12,7 @@ defmodule DotcomWeb.Plugs.SecureHeaders do
       *.googleapis.com
       *.s3.amazonaws.com
       analytics.google.com
+      cdn.mbta.com
       px.ads.linkedin.com
       stats.g.doubleclick.net
       www.google-analytics.com

From 1fa77274968e1fdaa07b728d89821e0d12c68845 Mon Sep 17 00:00:00 2001
From: Cristen Jones <cjones3@mbta.com>
Date: Thu, 9 Jan 2025 15:18:41 -0500
Subject: [PATCH 2/4] fix: add GTM URL to the CSP frame directive

---
 lib/dotcom_web/plugs/secure_headers.ex | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/dotcom_web/plugs/secure_headers.ex b/lib/dotcom_web/plugs/secure_headers.ex
index 5365b549ae..23e28b80c8 100644
--- a/lib/dotcom_web/plugs/secure_headers.ex
+++ b/lib/dotcom_web/plugs/secure_headers.ex
@@ -29,6 +29,7 @@ defmodule DotcomWeb.Plugs.SecureHeaders do
       livestream.com
       www.youtube.com
       www.google.com
+      www.googletagmanager.com
       www.instagram.com
     ],
     img: ~w[

From 7ff5b05423e04ec7e7b5a950120920a5acdcecec Mon Sep 17 00:00:00 2001
From: Cristen Jones <cjones3@mbta.com>
Date: Thu, 9 Jan 2025 15:18:59 -0500
Subject: [PATCH 3/4] chore: removed unused blocked-by-CSP resource

---
 lib/dotcom_web/templates/layout/root.html.eex | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/dotcom_web/templates/layout/root.html.eex b/lib/dotcom_web/templates/layout/root.html.eex
index cbd1103ce8..5b8e525634 100644
--- a/lib/dotcom_web/templates/layout/root.html.eex
+++ b/lib/dotcom_web/templates/layout/root.html.eex
@@ -27,7 +27,6 @@
     <link rel="apple-touch-icon" href="<%= static_url(@conn, "/apple-touch-icon.png") %>" type="image/png">
     <link rel="icon" href="<%= static_url(@conn, "/images/mbta-logo-t-favicon.png") %>" sizes="32x32" type="image/png">
     <link rel="icon" href="<%= static_url(@conn, "/favicon.ico") %>" sizes="16x16" type="image/vnd.microsoft.icon">
-    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/flatpickr/dist/flatpickr.min.css">
 
     <%= if google_tag_manager_id() do %>
       <link rel="preconnect" href="//www.google-analytics.com">

From 72ccf6b88e538e311f0ebad93fad50e35aafdf82 Mon Sep 17 00:00:00 2001
From: Cristen Jones <cjones3@mbta.com>
Date: Thu, 9 Jan 2025 15:23:14 -0500
Subject: [PATCH 4/4] feat: add soundcloud to CSP frame directive

---
 lib/dotcom_web/plugs/secure_headers.ex | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/dotcom_web/plugs/secure_headers.ex b/lib/dotcom_web/plugs/secure_headers.ex
index 23e28b80c8..a705057de8 100644
--- a/lib/dotcom_web/plugs/secure_headers.ex
+++ b/lib/dotcom_web/plugs/secure_headers.ex
@@ -31,6 +31,7 @@ defmodule DotcomWeb.Plugs.SecureHeaders do
       www.google.com
       www.googletagmanager.com
       www.instagram.com
+      *.soundcloud.com
     ],
     img: ~w[
       img-src