Added CSP exceptions for presentation and portfolio

2025-05-14 09:14:56 +02:00 · 2025-05-13 16:03:17 +02:00 · 2025-05-13 16:03:17 +02:00 · 13e98beed2
commit 13e98beed2
parent 3cb4cbf0d2
3 changed files with 35 additions and 7 deletions
--- a/roles/docker-portfolio/vars/configuration.yml
+++ b/roles/docker-portfolio/vars/configuration.yml
@ -1,4 +1,15 @@
 features:
  matomo:             true
  css:                true
-  landingpage_iframe: false
+  landingpage_iframe: false
+csp:
+  whitelist:
+    script-src:
+      - https://cdn.jsdelivr.net
+      - https://kit.fontawesome.com
+    style-src:
+      - https://cdn.jsdelivr.net
+    font-src:
+      - https://ka-f.fontawesome.com
+    frame-src:
+      - "{{ web_protocol }}://*.{{primary_domain}}"
--- a/roles/docker-presentation/vars/configuration.yml
+++ b/roles/docker-presentation/vars/configuration.yml
@ -1,4 +1,16 @@
 features:
  matomo:             true
  css:                true
-  landingpage_iframe: true
+  landingpage_iframe: true
+
+csp:
+  whitelist:
+    script-src:
+      - https://cdnjs.cloudflare.com
+      - https://code.jquery.com
+      - https://cdn.jsdelivr.net
+    style-src:
+      - https://cdnjs.cloudflare.com
+      - https://cdn.jsdelivr.net
+    font-src:
+      - https://cdnjs.cloudflare.com
--- a/roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2
@ -12,7 +12,7 @@
     'font-src'
   ] %}

-{# Loop over each directive and build its value from 'self', any unsafe flags, and whitelisted URLs #}
+{# Loop over each directive and build its value from 'self', any unsafe flags, whitelist URLs, and optional Matomo #}
 {%- for directive in directives %}
  {# Start with the 'self' source #}
  {%- set tokens = ["'self'"] %}
@ -22,19 +22,24 @@
    {%- set tokens = tokens + [flag] %}
  {%- endfor %}

+  {# If Matomo feature is enabled, whitelist its script and connect sources #}
+  {%- if applications | is_feature_enabled('matomo', application_id) and directive in ['script-src','connect-src'] %}
+    {%- set tokens = tokens + ['{{ web_protocol }}://{{ domains.matomo }}'] %}
+  {%- endif %}
+
  {# Add any extra hosts/URLs from csp.whitelist.<directive> #}
  {%- for url in applications | get_csp_whitelist(application_id, directive) %}
    {%- set tokens = tokens + [url] %}
  {%- endfor %}

  {# Combine into a single directive line and append to csp_parts #}
-  {%- set csp_parts = csp_parts + [(directive ~ " " ~ (tokens | join(' ')) ~ ";")] %}
+  {%- set csp_parts = csp_parts + [directive ~ ' ' ~ (tokens | join(' ')) ~ ';'] %}
 {%- endfor %}

 {# Preserve original img-src directive logic (do not loop) #}
-{%- set img_src = "img-src * data: blob:" %}
-{%- set csp_parts = csp_parts + [img_src ~ ";"] %}
+{%- set img_src = 'img-src * data: blob:' %}
+{%- set csp_parts = csp_parts + [img_src ~ ';'] %}

 {# Emit the assembled Content-Security-Policy header and hide any upstream CSP header #}
 add_header Content-Security-Policy "{{ csp_parts | join(' ') }}" always;
-proxy_hide_header Content-Security-Policy;
+proxy_hide_header Content-Security-Policy;