Optimized CSP

filter_plugins/csp_filters.py

@@ -31,13 +31,18 @@ class FilterModule(object):
 
     @staticmethod
     def get_csp_flags(applications, application_id, directive):
+        """
+        Dynamically extract all CSP flags for a given directive and return them as tokens,
+        e.g., "'unsafe-eval'", "'unsafe-inline'", etc.
+        """
         app = applications.get(application_id, {})
         flags = app.get('csp', {}).get('flags', {}).get(directive, {})
         tokens = []
-        if flags.get('unsafe_eval', False):
+
-            tokens.append("'unsafe-eval'")
+        for flag_name, enabled in flags.items():
-        if flags.get('unsafe_inline', False):
+            if enabled:
-            tokens.append("'unsafe-inline'")
+                tokens.append(f"'{flag_name}'")
+
         return tokens
 
     @staticmethod

roles/docker-discourse/vars/configuration.yml

@@ -11,9 +11,9 @@ features:
 csp:
   flags:
     style-src:
-      unsafe_inline: true
+      unsafe-inline: true
     script-src:
-      unsafe_inline: true
+      unsafe-inline: true
   whitelist:
     font-src:
       - "http://*.{{primary_domain}}"

roles/docker-espocrm/vars/configuration.yml

@@ -5,9 +5,6 @@ users:
     email:                "{{ users.administrator.email }}"
 
 credentials:
-#  administrator_password: # Set in inventory file
-#  database_password:      # Set in your inventory file
-
 features:
   matomo:             true
   css:                false
@@ -15,3 +12,7 @@ features:
   ldap:               false
   oidc:               true
   central_database:   true
+csp:
+  flags:
+    script-src:
+      unsafe-inline: true

roles/docker-lam/vars/configuration.yml

@@ -12,3 +12,10 @@ features:
   ldap:                         true
   central_database:             false
   oauth2:                       false
+csp:
+  flags:
+    style-src:
+      unsafe-inline: true
+    script-src:
+      unsafe-inline: true
+      unsafe-eval:   true

roles/docker-matomo/vars/configuration.yml

@@ -5,3 +5,15 @@ features:
   landingpage_iframe: false
   central_database:   true
   oauth2:             false
+csp:
+  whitelist:
+    script-src:
+      - https://cdn.matomo.cloud
+    style-src:
+      - https://fonts.googleapis.com
+  flags:
+    script-src:
+      unsafe-inline: true
+      unsafe-eval:   true
+    style-src:
+      unsafe-inline: true

roles/docker-nextcloud/vars/configuration.yml

@@ -4,7 +4,7 @@ ldap:
 csp:
   flags:
     style-src:
-      unsafe_inline: true
+      unsafe-inline: true
 oidc:
   enabled:                    "{{ applications.nextcloud.features.oidc | default(true) }}"      # Activate OIDC for Nextcloud
   # floavor decides which OICD plugin should be used. 

roles/docker-openproject/vars/configuration.yml

@@ -16,4 +16,4 @@ features:
 csp:
   flags:
     script-src:
-      unsafe_inline: true
+      unsafe-inline: true

roles/docker-portfolio/vars/configuration.yml

@@ -16,3 +16,6 @@ csp:
       - https://ka-f.fontawesome.com
     frame-src:
       - "{{ web_protocol }}://*.{{primary_domain}}"
+  flags:
+    style-src-elem:
+      unsafe-inline: true

roles/docker-presentation/vars/configuration.yml

@@ -16,6 +16,6 @@ csp:
       - https://cdnjs.cloudflare.com
   flags:
     style-src:
-      unsafe_inline: true
+      unsafe-inline: true
     script-src:
       unsafe-eval: true

roles/docker-sphinx/vars/configuration.yml

@@ -2,3 +2,10 @@ features:
   matomo:               true
   css:                  true
   landingpage_iframe:   false
+csp:
+  flags:
+    script-src:
+      unsafe-inline:  true
+      unsafe-eval:    true
+    style-src:
+      unsafe-inline:  true

roles/docker-wordpress/vars/configuration.yml

@@ -10,10 +10,15 @@ plugins:
     enabled:          true
   activitypub:
     enabled:          true
-      
 features:
   matomo:             true
   css:                false
   landingpage_iframe: false
   oidc:               true
   central_database:   true
+csp:
+  flags:
+    style-src:
+      unsafe-inline: true
+    script-src:
+      unsafe-inline: true

tests/unit/test_csp_filters.py

@@ -19,11 +19,11 @@ class TestCspFilters(unittest.TestCase):
                     },
                     'flags': {
                         'script-src': {
-                            'unsafe_eval': True,
+                            'unsafe-eval': True,
-                            'unsafe_inline': False,
+                            'unsafe-inline': False,
                         },
                         'style-src': {
-                            'unsafe_inline': True,
+                            'unsafe-inline': True,
                         },
                     },
                     'hashes': {