kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-05-16 01:37:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Optimized CSP

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-05-15 09:03:01 +02:00
parent 551c041452
commit 779c60ef20
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
12 changed files with 61 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
filter_plugins/csp_filters.py
View File

@ -31,13 +31,18 @@ class FilterModule(object):
@staticmethod @staticmethod
def get_csp_flags(applications, application_id, directive): def get_csp_flags(applications, application_id, directive):
"""
Dynamically extract all CSP flags for a given directive and return them as tokens,
e.g., "'unsafe-eval'", "'unsafe-inline'", etc.
"""
app = applications.get(application_id, {}) app = applications.get(application_id, {})
flags = app.get('csp', {}).get('flags', {}).get(directive, {}) flags = app.get('csp', {}).get('flags', {}).get(directive, {})
tokens = [] tokens = []
if flags.get('unsafe_eval', False):
tokens.append("'unsafe-eval'") for flag_name, enabled in flags.items():
if flags.get('unsafe_inline', False): if enabled:
tokens.append("'unsafe-inline'") tokens.append(f"'{flag_name}'")
return tokens return tokens
@staticmethod @staticmethod

4
roles/docker-discourse/vars/configuration.yml
View File

@ -11,9 +11,9 @@ features:
csp: csp:
flags: flags:
style-src: style-src:
unsafe_inline: true unsafe-inline: true
script-src: script-src:
unsafe_inline: true unsafe-inline: true
whitelist: whitelist:
font-src: font-src:
- "http://*.{{primary_domain}}" - "http://*.{{primary_domain}}"

9
roles/docker-espocrm/vars/configuration.yml
View File

@ -5,13 +5,14 @@ users:
email: "{{ users.administrator.email }}" email: "{{ users.administrator.email }}"
credentials: credentials:
# administrator_password: # Set in inventory file
# database_password: # Set in your inventory file
features: features:
matomo: true matomo: true
css: false css: false
landingpage_iframe: false landingpage_iframe: false
ldap: false ldap: false
oidc: true oidc: true
central_database: true central_database: true
csp:
flags:
script-src:
unsafe-inline: true

9
roles/docker-lam/vars/configuration.yml
View File

@ -11,4 +11,11 @@ features:
landingpage_iframe: true landingpage_iframe: true
ldap: true ldap: true
central_database: false central_database: false
oauth2: false oauth2: false
csp:
flags:
style-src:
unsafe-inline: true
script-src:
unsafe-inline: true
unsafe-eval: true

14
roles/docker-matomo/vars/configuration.yml
View File

@ -4,4 +4,16 @@ features:
css: false css: false
landingpage_iframe: false landingpage_iframe: false
central_database: true central_database: true
oauth2: false oauth2: false
csp:
whitelist:
script-src:
- https://cdn.matomo.cloud
style-src:
- https://fonts.googleapis.com
flags:
script-src:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true

2
roles/docker-nextcloud/vars/configuration.yml
View File

@ -4,7 +4,7 @@ ldap:
csp: csp:
flags: flags:
style-src: style-src:
unsafe_inline: true unsafe-inline: true
oidc: oidc:
enabled: "{{ applications.nextcloud.features.oidc | default(true) }}" # Activate OIDC for Nextcloud enabled: "{{ applications.nextcloud.features.oidc | default(true) }}" # Activate OIDC for Nextcloud
# floavor decides which OICD plugin should be used. # floavor decides which OICD plugin should be used.

2
roles/docker-openproject/vars/configuration.yml
View File

@ -16,4 +16,4 @@ features:
csp: csp:
flags: flags:
script-src: script-src:
unsafe_inline: true unsafe-inline: true

3
roles/docker-portfolio/vars/configuration.yml
View File

@ -16,3 +16,6 @@ csp:
- https://ka-f.fontawesome.com - https://ka-f.fontawesome.com
frame-src: frame-src:
- "{{ web_protocol }}://*.{{primary_domain}}" - "{{ web_protocol }}://*.{{primary_domain}}"
flags:
style-src-elem:
unsafe-inline: true

2
roles/docker-presentation/vars/configuration.yml
View File

@ -16,6 +16,6 @@ csp:
- https://cdnjs.cloudflare.com - https://cdnjs.cloudflare.com
flags: flags:
style-src: style-src:
unsafe_inline: true unsafe-inline: true
script-src: script-src:
unsafe-eval: true unsafe-eval: true

9
roles/docker-sphinx/vars/configuration.yml
View File

@ -1,4 +1,11 @@
features: features:
matomo: true matomo: true
css: true css: true
landingpage_iframe: false landingpage_iframe: false
csp:
flags:
script-src:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true

9
roles/docker-wordpress/vars/configuration.yml
View File

@ -10,10 +10,15 @@ plugins:
enabled: true enabled: true
activitypub: activitypub:
enabled: true enabled: true
features: features:
matomo: true matomo: true
css: false css: false
landingpage_iframe: false landingpage_iframe: false
oidc: true oidc: true
central_database: true central_database: true
csp:
flags:
style-src:
unsafe-inline: true
script-src:
unsafe-inline: true

6
tests/unit/test_csp_filters.py
View File

@ -19,11 +19,11 @@ class TestCspFilters(unittest.TestCase):
}, },
'flags': { 'flags': {
'script-src': { 'script-src': {
'unsafe_eval': True, 'unsafe-eval': True,
'unsafe_inline': False, 'unsafe-inline': False,
}, },
'style-src': { 'style-src': {
'unsafe_inline': True, 'unsafe-inline': True,
}, },
}, },
'hashes': { 'hashes': {