kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-06-25 11:45:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

Solved j2 specific variable bug

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-05-14 14:02:01 +02:00
parent ec0d266975
commit 8fac2296fe
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
1 changed files with 30 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2
View File

@ -1,8 +1,8 @@
{# Initialize an array to collect each CSP directive line #} {# Create a namespace to hold the accumulated CSP parts #}
{%- set csp_parts = [] %} {% set ns = namespace(csp_parts=[]) %}
{# List of all directives to process dynamically (except img-src) #} {# List of directives to build dynamically (except img-src) #}
{%- set directives = [ {% set directives = [
'default-src', 'default-src',
'connect-src', 'connect-src',
'frame-ancestors', 'frame-ancestors',
@ -12,34 +12,34 @@
'font-src' 'font-src'
] %} ] %}
{# Loop over each directive and build its value from 'self', any unsafe flags, whitelist URLs, and optional Matomo #} {# Build each directive line #}
{%- for directive in directives %} {% for directive in directives %}
{# Start with the 'self' source #} {# Always start with 'self' #}
{%- set tokens = ["'self'"] %} {% set tokens = ["'self'"] %}
{# Add any unsafe flags (unsafe-eval, unsafe-inline) from csp.flags.<directive> #} {# Add any unsafe flags for this directive #}
{%- for flag in applications | get_csp_flags(application_id, directive) %} {% for flag in applications | get_csp_flags(application_id, directive) %}
{%- set tokens = tokens + [flag] %} {% set tokens = tokens + [flag] %}
{%- endfor %} {% endfor %}
{# If Matomo feature is enabled, whitelist its script and connect sources #} {# If Matomo is enabled, allow its script and connect endpoints #}
{%- if applications | is_feature_enabled('matomo', application_id) and directive in ['script-src','connect-src'] %} {% if applications | is_feature_enabled('matomo', application_id)
{%- set tokens = tokens + ['{{ web_protocol }}://{{ domains.matomo }}'] %} and directive in ['script-src', 'connect-src'] %}
{%- endif %} {% set tokens = tokens + [web_protocol ~ '://' ~ domains.matomo] %}
{% endif %}
{# Add any extra hosts/URLs from csp.whitelist.<directive> #} {# Append any extra whitelist URLs for this directive #}
{%- for url in applications | get_csp_whitelist(application_id, directive) %} {% for url in applications | get_csp_whitelist(application_id, directive) %}
{%- set tokens = tokens + [url] %} {% set tokens = tokens + [url] %}
{%- endfor %} {% endfor %}
{# Combine into a single directive line and append to csp_parts #} {# Store the completed directive line in the namespace #}
{%- set csp_parts = csp_parts + [directive ~ ' ' ~ (tokens | join(' ')) ~ ';'] %} {% set ns.csp_parts = ns.csp_parts + [directive ~ ' ' ~ (tokens | join(' ')) ~ ';'] %}
{%- endfor %} {% endfor %}
{# Preserve original img-src directive logic (do not loop) #} {# Add the (static) img-src directive #}
{%- set img_src = 'img-src * data: blob:' %} {% set ns.csp_parts = ns.csp_parts + ['img-src * data: blob:;'] %}
{%- set csp_parts = csp_parts + [img_src ~ ';'] %}
{# Emit the assembled Content-Security-Policy header and hide any upstream CSP header #} {# Emit the final header and hide any upstream header #}
add_header Content-Security-Policy "{{ csp_parts | join(' ') }}" always; add_header Content-Security-Policy "{{ ns.csp_parts | join(' ') }}" always;
proxy_hide_header Content-Security-Policy; proxy_hide_header Content-Security-Policy;