Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

pagure: enable the application's own CSP headers

Browse source 
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
This commit is contained in:
Pierre-Yves Chibon 2019-11-28 09:49:11 +01:00
parent 25cd75260f
commit 7f4b929694
2 changed files with 12 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

12
roles/pagure/frontend/templates/pagure.cfg
View file

@ -383,4 +383,16 @@ CSP_HEADERS = (
"frame-src https://docs.stg.pagure.org;"
"frame-ancestors https://stg.pagure.io;"
)
{% else %}
CSP_HEADERS = (
"default-src 'self';"
"script-src 'self' '{nonce_script}'; "
"style-src 'self' '{nonce_style}'; "
"object-src 'none';"
"base-uri 'self';"
"img-src 'self' https:;"
"connect-src 'self' https://pagure.io:8088;"
"frame-src https://docs.pagure.org;"
"frame-ancestors https://pagure.io;"
)
{% endif %}

1
roles/pagure/frontend/templates/securityheaders.conf
View file

@ -5,5 +5,4 @@ Header always set Referrer-Policy "same-origin"
Header always set X-Frame-Options "ALLOW-FROM https://stg.pagure.io/"
{% else %}
Header always set X-Frame-Options "ALLOW-FROM https://pagure.io/"
Header always set Content-Security-Policy "default-src 'self' https:; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://apps.fedoraproject.org; style-src 'self' 'unsafe-inline' https://apps.fedoraproject.org"
{% endif %}