Optimized CSP

2025-05-16 01:37:19 +02:00 · 2025-05-15 09:03:01 +02:00 · 2025-05-15 09:03:01 +02:00 · 779c60ef20
commit 779c60ef20
parent 551c041452
12 changed files with 61 additions and 21 deletions
--- a/filter_plugins/csp_filters.py
+++ b/filter_plugins/csp_filters.py
@ -31,13 +31,18 @@ class FilterModule(object):

    @staticmethod
    def get_csp_flags(applications, application_id, directive):
+        """
+        Dynamically extract all CSP flags for a given directive and return them as tokens,
+        e.g., "'unsafe-eval'", "'unsafe-inline'", etc.
+        """
        app = applications.get(application_id, {})
        flags = app.get('csp', {}).get('flags', {}).get(directive, {})
        tokens = []
-        if flags.get('unsafe_eval', False):
-            tokens.append("'unsafe-eval'")
-        if flags.get('unsafe_inline', False):
-            tokens.append("'unsafe-inline'")
+
+        for flag_name, enabled in flags.items():
+            if enabled:
+                tokens.append(f"'{flag_name}'")
+
        return tokens

    @staticmethod
--- a/roles/docker-discourse/vars/configuration.yml
+++ b/roles/docker-discourse/vars/configuration.yml
@ -11,9 +11,9 @@ features:
 csp:
  flags:
    style-src:
-      unsafe_inline: true
+      unsafe-inline: true
    script-src:
-      unsafe_inline: true
+      unsafe-inline: true
  whitelist:
    font-src:
      - "http://*.{{primary_domain}}"
--- a/roles/docker-espocrm/vars/configuration.yml
+++ b/roles/docker-espocrm/vars/configuration.yml
@ -5,13 +5,14 @@ users:
    email:                "{{ users.administrator.email }}"

 credentials:
-#  administrator_password: # Set in inventory file
-#  database_password:      # Set in your inventory file
-
 features:
  matomo:             true
  css:                false
  landingpage_iframe: false
  ldap:               false
  oidc:               true
-  central_database:   true
+  central_database:   true
+csp:
+  flags:
+    script-src:
+      unsafe-inline: true
--- a/roles/docker-lam/vars/configuration.yml
+++ b/roles/docker-lam/vars/configuration.yml
@ -11,4 +11,11 @@ features:
  landingpage_iframe:           true
  ldap:                         true
  central_database:             false
-  oauth2:                       false
+  oauth2:                       false
+csp:
+  flags:
+    style-src:
+      unsafe-inline: true
+    script-src:
+      unsafe-inline: true
+      unsafe-eval:   true
--- a/roles/docker-matomo/vars/configuration.yml
+++ b/roles/docker-matomo/vars/configuration.yml
@ -4,4 +4,16 @@ features:
  css:                false
  landingpage_iframe: false
  central_database:   true
-  oauth2:             false
+  oauth2:             false
+csp:
+  whitelist:
+    script-src:
+      - https://cdn.matomo.cloud
+    style-src:
+      - https://fonts.googleapis.com
+  flags:
+    script-src:
+      unsafe-inline: true
+      unsafe-eval:   true
+    style-src:
+      unsafe-inline: true
--- a/roles/docker-nextcloud/vars/configuration.yml
+++ b/roles/docker-nextcloud/vars/configuration.yml
@ -4,7 +4,7 @@ ldap:
 csp:
  flags:
    style-src:
-      unsafe_inline: true
+      unsafe-inline: true
 oidc:
  enabled:                    "{{ applications.nextcloud.features.oidc | default(true) }}"      # Activate OIDC for Nextcloud
  # floavor decides which OICD plugin should be used. 
--- a/roles/docker-openproject/vars/configuration.yml
+++ b/roles/docker-openproject/vars/configuration.yml
@ -16,4 +16,4 @@ features:
 csp:
  flags:
    script-src:
-      unsafe_inline: true
+      unsafe-inline: true
--- a/roles/docker-portfolio/vars/configuration.yml
+++ b/roles/docker-portfolio/vars/configuration.yml
@ -16,3 +16,6 @@ csp:
      - https://ka-f.fontawesome.com
    frame-src:
      - "{{ web_protocol }}://*.{{primary_domain}}"
+  flags:
+    style-src-elem:
+      unsafe-inline: true
--- a/roles/docker-presentation/vars/configuration.yml
+++ b/roles/docker-presentation/vars/configuration.yml
@ -16,6 +16,6 @@ csp:
      - https://cdnjs.cloudflare.com
  flags:
    style-src:
-      unsafe_inline: true
+      unsafe-inline: true
    script-src:
      unsafe-eval: true
--- a/roles/docker-sphinx/vars/configuration.yml
+++ b/roles/docker-sphinx/vars/configuration.yml
@ -1,4 +1,11 @@
 features:
  matomo:               true
  css:                  true
-  landingpage_iframe:   false
+  landingpage_iframe:   false
+csp:
+  flags:
+    script-src:
+      unsafe-inline:  true
+      unsafe-eval:    true
+    style-src:
+      unsafe-inline:  true
--- a/roles/docker-wordpress/vars/configuration.yml
+++ b/roles/docker-wordpress/vars/configuration.yml
@ -10,10 +10,15 @@ plugins:
    enabled:          true
  activitypub:
    enabled:          true
-      
 features:
  matomo:             true
  css:                false
  landingpage_iframe: false
  oidc:               true
-  central_database:   true
+  central_database:   true
+csp:
+  flags:
+    style-src:
+      unsafe-inline: true
+    script-src:
+      unsafe-inline: true
--- a/tests/unit/test_csp_filters.py
+++ b/tests/unit/test_csp_filters.py
@ -19,11 +19,11 @@ class TestCspFilters(unittest.TestCase):
                    },
                    'flags': {
                        'script-src': {
-                            'unsafe_eval': True,
-                            'unsafe_inline': False,
+                            'unsafe-eval': True,
+                            'unsafe-inline': False,
                        },
                        'style-src': {
-                            'unsafe_inline': True,
+                            'unsafe-inline': True,
                        },
                    },
                    'hashes': {