From 1031b61f6a6c74c37720e30e6564bf75c6a11534 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Thu, 15 May 2025 11:00:13 +0200
Subject: [PATCH] Optimized more CSP policies

---
 filter_plugins/csp_filters.py                 | 3 ++-
 roles/docker-nextcloud/vars/configuration.yml | 5 +++++
 roles/docker-portfolio/vars/configuration.yml | 2 +-
 roles/docker-wordpress/vars/configuration.yml | 5 ++++-
 4 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/filter_plugins/csp_filters.py b/filter_plugins/csp_filters.py
index 6420ee36..970b47df 100644
--- a/filter_plugins/csp_filters.py
+++ b/filter_plugins/csp_filters.py
@@ -91,7 +91,8 @@ class FilterModule(object):
                 'frame-src',
                 'script-src',
                 'style-src',
-                'font-src'
+                'font-src',
+                'worker-src',
             ]
             parts = []
 
diff --git a/roles/docker-nextcloud/vars/configuration.yml b/roles/docker-nextcloud/vars/configuration.yml
index 59fe356d..5cea6e2f 100644
--- a/roles/docker-nextcloud/vars/configuration.yml
+++ b/roles/docker-nextcloud/vars/configuration.yml
@@ -5,6 +5,11 @@ csp:
   flags:
     style-src:
       unsafe-inline: true
+    script-src:
+      unsafe-inline: true
+  whitelist:
+    font-src:
+      - data:
 oidc:
   enabled:                    "{{ applications.nextcloud.features.oidc | default(true) }}"      # Activate OIDC for Nextcloud
   # floavor decides which OICD plugin should be used. 
diff --git a/roles/docker-portfolio/vars/configuration.yml b/roles/docker-portfolio/vars/configuration.yml
index 3c157922..a0a47903 100644
--- a/roles/docker-portfolio/vars/configuration.yml
+++ b/roles/docker-portfolio/vars/configuration.yml
@@ -17,5 +17,5 @@ csp:
     frame-src:
       - "{{ web_protocol }}://*.{{primary_domain}}"
   flags:
-    style-src-elem:
+    style-src:
       unsafe-inline: true
diff --git a/roles/docker-wordpress/vars/configuration.yml b/roles/docker-wordpress/vars/configuration.yml
index 38597ab9..2ba93662 100644
--- a/roles/docker-wordpress/vars/configuration.yml
+++ b/roles/docker-wordpress/vars/configuration.yml
@@ -21,4 +21,7 @@ csp:
     style-src:
       unsafe-inline: true
     script-src:
-      unsafe-inline: true
\ No newline at end of file
+      unsafe-inline: true
+  whitelist:
+    worker-src:
+      - blob:
\ No newline at end of file