From 2541cc1c91218d14c2a5a6f1fc9447ebdb7a3fb2 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Tue, 10 Jun 2025 18:25:39 +0200
Subject: [PATCH] Solved CSP bugs for echoserver

---
 filter_plugins/csp_filters.py                | 2 +-
 roles/docker-espocrm/vars/configuration.yml  | 2 ++
 roles/docker-matomo/vars/configuration.yml   | 3 +++
 roles/docker-peertube/vars/configuration.yml | 2 ++
 roles/docker-sphinx/vars/configuration.yml   | 2 ++
 roles/nginx-modifier-matomo/tasks/main.yml   | 2 +-
 6 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/filter_plugins/csp_filters.py b/filter_plugins/csp_filters.py
index dd8fdc60..32d37b8e 100644
--- a/filter_plugins/csp_filters.py
+++ b/filter_plugins/csp_filters.py
@@ -128,7 +128,7 @@ class FilterModule(object):
                 ):
                     domain = domains.get('portfolio')[0]
                     sld_tld = ".".join(domain.split(".")[-2:])  # yields "example.com"
-                    tokens.append(f"{sld_tld}")               # yields "*.example.com"
+                    tokens.append(f"{sld_tld}")                 # yields "*.example.com"
 
                 # whitelist
                 tokens += self.get_csp_whitelist(applications, application_id, directive)
diff --git a/roles/docker-espocrm/vars/configuration.yml b/roles/docker-espocrm/vars/configuration.yml
index 519b62a5..cdab184b 100644
--- a/roles/docker-espocrm/vars/configuration.yml
+++ b/roles/docker-espocrm/vars/configuration.yml
@@ -20,6 +20,8 @@ csp:
       unsafe-eval:    true
     style-src:
       unsafe-inline:  true
+    script-src:
+      unsafe-eval:    true
   whitelist:
     connect-src:
       - wss://espocrm.{{ primary_domain }}
diff --git a/roles/docker-matomo/vars/configuration.yml b/roles/docker-matomo/vars/configuration.yml
index 800efb36..3dd4202b 100644
--- a/roles/docker-matomo/vars/configuration.yml
+++ b/roles/docker-matomo/vars/configuration.yml
@@ -13,11 +13,14 @@ csp:
     style-src:
       - https://fonts.googleapis.com
   flags:
+    script-src:
+      unsafe-eval:   true
     script-src-elem:
       unsafe-inline: true
       unsafe-eval:   true
     style-src:
       unsafe-inline: true
+      unsafe-eval:   true
 domains:
   aliases:
     - "analytics.{{ primary_domain }}"
\ No newline at end of file
diff --git a/roles/docker-peertube/vars/configuration.yml b/roles/docker-peertube/vars/configuration.yml
index f2251658..b4b95fe2 100644
--- a/roles/docker-peertube/vars/configuration.yml
+++ b/roles/docker-peertube/vars/configuration.yml
@@ -7,6 +7,8 @@ features:
   oidc:               true
 csp:
   flags:
+    script-src-elem:
+      unsafe-inline:  true
     script-src:
       unsafe-inline:  true
     style-src:
diff --git a/roles/docker-sphinx/vars/configuration.yml b/roles/docker-sphinx/vars/configuration.yml
index d62a04e3..4b4529b2 100644
--- a/roles/docker-sphinx/vars/configuration.yml
+++ b/roles/docker-sphinx/vars/configuration.yml
@@ -4,6 +4,8 @@ features:
   portfolio_iframe:   false
 csp:
   flags:
+    script-src:
+      unsafe-eval:    true
     script-src-elem:
       unsafe-inline:  true
       unsafe-eval:    true
diff --git a/roles/nginx-modifier-matomo/tasks/main.yml b/roles/nginx-modifier-matomo/tasks/main.yml
index 83e9a08a..590c610d 100644
--- a/roles/nginx-modifier-matomo/tasks/main.yml
+++ b/roles/nginx-modifier-matomo/tasks/main.yml
@@ -77,7 +77,7 @@
             (application_id): {
               'csp': {
                 'hashes': {
-                  'script-src': (
+                  'script-src-elem': (
                     applications[application_id]['csp']['hashes'].get('script-src', [])
                     + [ matomo_tracking_code_one_liner ]
                   )