We use cookies to ensure you get the best experience on our website
Accueil Explorer Aide
S'inscrire Connexion
0ct0pu5
/
desec-stack
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

fix(www): fix CSP headers

- allow data: sources for img tags (Captcha)
- set default-src to 'self' so that resource prefetch works
  (prefetch-src not yet supported by any browser)
Peter Thomassen il y a 5 ans
Parent
e2cac495da
commit
a0a1ce50b6
2 fichiers modifiés avec 2 ajouts et 2 suppressions
Vue séparée Afficher les stats Diff
  1. 1 1
      test/e2e/spec/www_spec.js
  2. 1 1
      www/conf/sites-available/90-desec.static.location

+ 1 - 1
test/e2e/spec/www_spec.js
Voir le fichier 

@@ -156,7 +156,7 @@ describe("www/nginx", function () {
 
         it("has security headers", function () {
 
             var response = chakram.get('https://www/');
 
             expect(response).to.have.header('Strict-Transport-Security', 'max-age=31536000; includeSubdomains; preload');
 
-            expect(response).to.have.header('Content-Security-Policy', "default-src 'none'; frame-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'self'; frame-ancestors 'none'; block-all-mixed-content; form-action 'none';");
 
+            expect(response).to.have.header('Content-Security-Policy', "default-src 'self'; frame-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'self'; frame-ancestors 'none'; block-all-mixed-content; form-action 'none';");
 
             expect(response).to.have.header('X-Frame-Options', 'deny');
 
             expect(response).to.have.header('X-Content-Type-Options', 'nosniff');
 
             expect(response).to.have.header('Referrer-Policy', 'strict-origin-when-cross-origin');

+ 1 - 1
www/conf/sites-available/90-desec.static.location
Voir le fichier 

@@ -3,7 +3,7 @@
 
 #####
 
 location / {
 
     add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
 
-    add_header Content-Security-Policy "default-src 'none'; frame-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'self'; frame-ancestors 'none'; block-all-mixed-content; form-action 'none';" always;
 
+    add_header Content-Security-Policy "default-src 'self'; frame-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'self'; frame-ancestors 'none'; block-all-mixed-content; form-action 'none';" always;
 
     add_header X-Frame-Options "deny" always;
 
     add_header X-Content-Type-Options "nosniff" always;
 
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5