Skip to content

Remove unused Twemoji CDN URLs from CSP configuration#1681

Closed
Copilot wants to merge 5 commits intodevelopfrom
copilot/sub-pr-1678
Closed

Remove unused Twemoji CDN URLs from CSP configuration#1681
Copilot wants to merge 5 commits intodevelopfrom
copilot/sub-pr-1678

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Jan 6, 2026
edited
Loading

What changes did you make and why did you make them?

Removed https://cdnjs.cloudflare.com/ajax/libs/twemoji/ from CSP imgSrcUrls and connectSrcUrls arrays in scriptUrls.js.

The URLs were unnecessary because:

  • App uses gemoji npm package which provides Unicode emoji characters
  • Emojis render as Unicode via nameToEmoji[name] in lib/utils/richText.tsx, not as CDN-loaded images
  • Twemoji is not installed as a dependency

Addresses reviewer feedback about overly narrow URL pattern by removing unused URLs rather than broadening them—minimizes CSP attack surface.

Did you run tests? Share screenshot of results:

  • Validated JavaScript syntax and module loading
  • Code review: no issues
  • CodeQL: no security vulnerabilities

How did you find us? (GitHub, Google search, social media, etc.):

N/A - addressing review feedback on PR #1678

Before submitting, check that you have completed the following tasks:

  • Answered the questions above.
  • Enabled "Allow edits and access to secrets by maintainers" on this PR.
  • If applicable, include images in the description.

After submitting, please be available for discussion. Thank you!

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

eleanorreem and others added 4 commits January 6, 2026 16:14
@eleanorreem
fix: CSP urls for 2FA
81c43e8
@eleanorreem
[WIP] Address feedback on CSP URLs for 2FA implementation (#1679)
2cb54ca 
* Initial plan

* feat: Add reCAPTCHA URLs to frameSrcUrls for iframe support

Co-authored-by: eleanorreem <16049515+eleanorreem@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: eleanorreem <16049515+eleanorreem@users.noreply.github.com>
@eleanorreem
Update scriptUrls.js
2a5257e 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Initial plan
d7e163d
Copilot AI mentioned this pull request Jan 6, 2026
Merged
@vercel
Copy link
Copy Markdown

vercel Bot commented Jan 6, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
bloom-frontend Ready Ready Preview, Comment Jan 6, 2026 4:37pm

@eleanorreem eleanorreem marked this pull request as ready for review January 6, 2026 16:31
@eleanorreem
Remove unused Twemoji CDN URLs from CSP configuration
5bfc5ce 
The cdnjs.cloudflare.com/twemoji URLs were not needed because:
- The app uses the 'gemoji' npm package which provides Unicode emoji characters
- No actual Twemoji image CDN is being used in the codebase
- Emojis are rendered as Unicode characters, not loaded as images

This addresses the reviewer's concern about the overly narrow URL pattern.

Co-authored-by: eleanorreem <16049515+eleanorreem@users.noreply.github.com>
Copilot AI changed the title [WIP] Address feedback on CSP URLs for 2FA implementation Remove unused Twemoji CDN URLs from CSP configuration Jan 6, 2026
Copilot AI requested a review from eleanorreem January 6, 2026 16:38
Base automatically changed from 2FA-CSP-domains to develop January 6, 2026 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eleanorreem eleanorreem Awaiting requested review from eleanorreem

Assignees

@eleanorreem eleanorreem

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eleanorreem