Optimized CSP

roles/docker-discourse/vars/configuration.yml

@@ -1,11 +1,19 @@
 network:    "discourse_default"     # Name of the docker network
 container:  "discourse_application" # Name of the container application
 repository: "discourse_repository"  # Name of the repository folder
-credentials:
-#  database_password:                     # Needs to be defined in inventory file                        
+credentials:                    
 features:
   matomo:             true
   css:                true
   landingpage_iframe: false
   oidc:               true
-  central_database:   true
+  central_database:   true
+csp:
+  flags:
+    style-src:
+      unsafe_inline: true
+    script-src:
+      unsafe_inline: true
+  whitelist:
+    font-src:
+      - "http://*.{{primary_domain}}"

roles/docker-nextcloud/vars/configuration.yml

@@ -1,6 +1,10 @@
 version:                      "production"                                      # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
 ldap:
   enabled:                    True                                              # Enables LDAP by default
+csp:
+  flags:
+    style-src:
+      unsafe_inline: true
 oidc:
   enabled:                    "{{ applications.nextcloud.features.oidc | default(true) }}"      # Activate OIDC for Nextcloud
   # floavor decides which OICD plugin should be used. 

roles/docker-openproject/vars/configuration.yml

@@ -12,4 +12,8 @@ features:
   landingpage_iframe: false
   ldap:               true
   central_database:   true
-  oauth2:             true
+  oauth2:             true
+csp:
+  flags:
+    script-src:
+      unsafe_inline: true

roles/docker-portfolio/vars/configuration.yml

@@ -11,5 +11,8 @@ csp:
       - https://cdn.jsdelivr.net
     font-src:
       - https://ka-f.fontawesome.com
+      - https://cdn.jsdelivr.net
+    connect-src:
+      - https://ka-f.fontawesome.com
     frame-src:
       - "{{ web_protocol }}://*.{{primary_domain}}"

roles/docker-presentation/vars/configuration.yml

@@ -13,4 +13,9 @@ csp:
       - https://cdnjs.cloudflare.com
       - https://cdn.jsdelivr.net
     font-src:
-      - https://cdnjs.cloudflare.com
+      - https://cdnjs.cloudflare.com
+  flags:
+    style-src:
+      unsafe_inline: true
+    script-src:
+      unsafe-eval: true

roles/health-csp/files/health-csp.py

@@ -25,7 +25,7 @@ def run_checkcsp(domains):
     """
     Executes the 'checkcsp' command with the given domains.
     """
-    cmd = ["checkcsp", "start"] + domains
+    cmd = ["checkcsp", "start", "--short"] + domains
     try:
         result = subprocess.run(cmd, check=True)
         return result.returncode

roles/nginx-modifier-matomo/tasks/main.yml

@@ -50,3 +50,38 @@
 - name: Set the tracking code as a one-liner
   set_fact:
     matomo_tracking_code_one_liner: "{{ matomo_tracking_code | regex_replace('\\n', '') | regex_replace('\\s+', ' ') }}"
+
+- name: Ensure csp.hashes exists for this app
+  set_fact:
+    applications: >-
+      {{
+        applications
+        | combine({
+            (application_id): {
+              'csp': {
+                'hashes': {}
+              }
+            }
+          }, recursive=True)
+      }}
+  changed_when: false
+
+- name: Append Matomo one-liner to script-src inline hashes
+  set_fact:
+    applications: >-
+      {{
+        applications
+        | combine({
+            (application_id): {
+              'csp': {
+                'hashes': {
+                  'script-src': (
+                    applications[application_id]['csp']['hashes'].get('script-src', [])
+                    + [ matomo_tracking_code_one_liner ]
+                  )
+                }
+              }
+            }
+          }, recursive=True)
+      }}
+  changed_when: false