Solved CSP bugs for echoserver

2025-06-24 19:25:32 +02:00 · 2025-06-10 18:25:39 +02:00 · 2025-06-10 18:25:39 +02:00 · 2541cc1c91
commit 2541cc1c91
parent 90e9e00205
6 changed files with 11 additions and 2 deletions
--- a/filter_plugins/csp_filters.py
+++ b/filter_plugins/csp_filters.py
@ -128,7 +128,7 @@ class FilterModule(object):
                ):
                    domain = domains.get('portfolio')[0]
                    sld_tld = ".".join(domain.split(".")[-2:])  # yields "example.com"
-                    tokens.append(f"{sld_tld}")               # yields "*.example.com"
+                    tokens.append(f"{sld_tld}")                 # yields "*.example.com"

                # whitelist
                tokens += self.get_csp_whitelist(applications, application_id, directive)
--- a/roles/docker-espocrm/vars/configuration.yml
+++ b/roles/docker-espocrm/vars/configuration.yml
@ -20,6 +20,8 @@ csp:
      unsafe-eval:    true
    style-src:
      unsafe-inline:  true
+    script-src:
+      unsafe-eval:    true
  whitelist:
    connect-src:
      - wss://espocrm.{{ primary_domain }}
--- a/roles/docker-matomo/vars/configuration.yml
+++ b/roles/docker-matomo/vars/configuration.yml
@ -13,11 +13,14 @@ csp:
    style-src:
      - https://fonts.googleapis.com
  flags:
+    script-src:
+      unsafe-eval:   true
    script-src-elem:
      unsafe-inline: true
      unsafe-eval:   true
    style-src:
      unsafe-inline: true
+      unsafe-eval:   true
 domains:
  aliases:
    - "analytics.{{ primary_domain }}"
--- a/roles/docker-peertube/vars/configuration.yml
+++ b/roles/docker-peertube/vars/configuration.yml
@ -7,6 +7,8 @@ features:
  oidc:               true
 csp:
  flags:
+    script-src-elem:
+      unsafe-inline:  true
    script-src:
      unsafe-inline:  true
    style-src:
--- a/roles/docker-sphinx/vars/configuration.yml
+++ b/roles/docker-sphinx/vars/configuration.yml
@ -4,6 +4,8 @@ features:
  portfolio_iframe:   false
 csp:
  flags:
+    script-src:
+      unsafe-eval:    true
    script-src-elem:
      unsafe-inline:  true
      unsafe-eval:    true
--- a/roles/nginx-modifier-matomo/tasks/main.yml
+++ b/roles/nginx-modifier-matomo/tasks/main.yml
@ -77,7 +77,7 @@
            (application_id): {
              'csp': {
                'hashes': {
-                  'script-src': (
+                  'script-src-elem': (
                    applications[application_id]['csp']['hashes'].get('script-src', [])
                    + [ matomo_tracking_code_one_liner ]
                  )