From 8e6a2b55c96aa0d37755ca109b8ea972e0dbdbc6 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Mon, 13 May 2019 13:24:42 +0200
Subject: [PATCH] Add strict CSP to getfedora.org

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 roles/fedora-web/getfedora/files/csp.conf | 1 +
 roles/fedora-web/getfedora/tasks/main.yml | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 roles/fedora-web/getfedora/files/csp.conf

diff --git a/roles/fedora-web/getfedora/files/csp.conf b/roles/fedora-web/getfedora/files/csp.conf
new file mode 100644
index 0000000000..10ac9c3c6d
--- /dev/null
+++ b/roles/fedora-web/getfedora/files/csp.conf
@@ -0,0 +1 @@
+Header always set Content-Security-Policy "default-src 'none'; img-src 'self' https://fedoramagazine.org; script-src 'self'; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src https://fedoramagazine.org; "
diff --git a/roles/fedora-web/getfedora/tasks/main.yml b/roles/fedora-web/getfedora/tasks/main.yml
index 155e895339..e73b75ce3b 100644
--- a/roles/fedora-web/getfedora/tasks/main.yml
+++ b/roles/fedora-web/getfedora/tasks/main.yml
@@ -11,6 +11,7 @@
   with_items:
   - getfedora.org.conf
   - languages.conf
+  - csp.conf
   notify:
   - reload proxyhttpd
   tags: