Pagure: only set the CSP headers in production, in staging use the application ones
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
This commit is contained in:
Pierre-Yves Chibon
parent
a9e8c10abe
commit
3d9a2d8251
1 changed files with 2 additions and 0 deletions
|
|
@ -2,4 +2,6 @@ Header always set X-Frame-Options "ALLOW-FROM https://pagure.io/"
|
||||||
Header always set X-Xss-Protection "1; mode=block"
|
Header always set X-Xss-Protection "1; mode=block"
|
||||||
Header always set X-Content-Type-Options "nosniff"
|
Header always set X-Content-Type-Options "nosniff"
|
||||||
Header always set Referrer-Policy "same-origin"
|
Header always set Referrer-Policy "same-origin"
|
||||||
|
{% if env != 'pagure-staging' %}
|
||||||
Header always set Content-Security-Policy "default-src 'self' https:; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://apps.fedoraproject.org; style-src 'self' 'unsafe-inline' https://apps.fedoraproject.org"
|
Header always set Content-Security-Policy "default-src 'self' https:; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://apps.fedoraproject.org; style-src 'self' 'unsafe-inline' https://apps.fedoraproject.org"
|
||||||
|
{% endif %}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue