kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-05-14 09:14:56 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added CSP exceptions for presentation and portfolio

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-05-13 16:03:17 +02:00
parent 3cb4cbf0d2
commit 13e98beed2
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
3 changed files with 35 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
roles/docker-portfolio/vars/configuration.yml
View File

@ -2,3 +2,14 @@ features:
matomo: true matomo: true
css: true css: true
landingpage_iframe: false landingpage_iframe: false
csp:
whitelist:
script-src:
- https://cdn.jsdelivr.net
- https://kit.fontawesome.com
style-src:
- https://cdn.jsdelivr.net
font-src:
- https://ka-f.fontawesome.com
frame-src:
- "{{ web_protocol }}://*.{{primary_domain}}"

12
roles/docker-presentation/vars/configuration.yml
View File

@ -2,3 +2,15 @@ features:
matomo: true matomo: true
css: true css: true
landingpage_iframe: true landingpage_iframe: true
csp:
whitelist:
script-src:
- https://cdnjs.cloudflare.com
- https://code.jquery.com
- https://cdn.jsdelivr.net
style-src:
- https://cdnjs.cloudflare.com
- https://cdn.jsdelivr.net
font-src:
- https://cdnjs.cloudflare.com

13
roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2
View File

@ -12,7 +12,7 @@
'font-src' 'font-src'
] %} ] %}
{# Loop over each directive and build its value from 'self', any unsafe flags, and whitelisted URLs #} {# Loop over each directive and build its value from 'self', any unsafe flags, whitelist URLs, and optional Matomo #}
{%- for directive in directives %} {%- for directive in directives %}
{# Start with the 'self' source #} {# Start with the 'self' source #}
{%- set tokens = ["'self'"] %} {%- set tokens = ["'self'"] %}
@ -22,18 +22,23 @@
{%- set tokens = tokens + [flag] %} {%- set tokens = tokens + [flag] %}
{%- endfor %} {%- endfor %}
{# If Matomo feature is enabled, whitelist its script and connect sources #}
{%- if applications | is_feature_enabled('matomo', application_id) and directive in ['script-src','connect-src'] %}
{%- set tokens = tokens + ['{{ web_protocol }}://{{ domains.matomo }}'] %}
{%- endif %}
{# Add any extra hosts/URLs from csp.whitelist.<directive> #} {# Add any extra hosts/URLs from csp.whitelist.<directive> #}
{%- for url in applications | get_csp_whitelist(application_id, directive) %} {%- for url in applications | get_csp_whitelist(application_id, directive) %}
{%- set tokens = tokens + [url] %} {%- set tokens = tokens + [url] %}
{%- endfor %} {%- endfor %}
{# Combine into a single directive line and append to csp_parts #} {# Combine into a single directive line and append to csp_parts #}
{%- set csp_parts = csp_parts + [(directive ~ " " ~ (tokens | join(' ')) ~ ";")] %} {%- set csp_parts = csp_parts + [directive ~ ' ' ~ (tokens | join(' ')) ~ ';'] %}
{%- endfor %} {%- endfor %}
{# Preserve original img-src directive logic (do not loop) #} {# Preserve original img-src directive logic (do not loop) #}
{%- set img_src = "img-src * data: blob:" %} {%- set img_src = 'img-src * data: blob:' %}
{%- set csp_parts = csp_parts + [img_src ~ ";"] %} {%- set csp_parts = csp_parts + [img_src ~ ';'] %}
{# Emit the assembled Content-Security-Policy header and hide any upstream CSP header #} {# Emit the assembled Content-Security-Policy header and hide any upstream CSP header #}
add_header Content-Security-Policy "{{ csp_parts | join(' ') }}" always; add_header Content-Security-Policy "{{ csp_parts | join(' ') }}" always;