diff --git a/filter_plugins/csp_filters.py b/filter_plugins/csp_filters.py index da774b94..727ec9a4 100644 --- a/filter_plugins/csp_filters.py +++ b/filter_plugins/csp_filters.py @@ -109,7 +109,7 @@ class FilterModule(object): # Matomo integration if ( self.is_feature_enabled(applications, matomo_feature_name, application_id) - and directive in ['script-src', 'connect-src'] + and directive in ['script-src-elem', 'connect-src'] ): matomo_domain = domains.get('matomo')[0] if matomo_domain: @@ -117,10 +117,9 @@ class FilterModule(object): # ReCaptcha integration: allow loading scripts from Google if feature enabled if self.is_feature_enabled(applications, 'recaptcha', application_id): - if directive == 'script-src': - tokens.append('https://www.google.com') if directive == 'script-src-elem': tokens.append('https://www.gstatic.com') + tokens.append('https://www.google.com') # Enable loading via ancestors if ( diff --git a/roles/docker-bigbluebutton/vars/configuration.yml b/roles/docker-bigbluebutton/vars/configuration.yml index daa6c811..14d4c45c 100644 --- a/roles/docker-bigbluebutton/vars/configuration.yml +++ b/roles/docker-bigbluebutton/vars/configuration.yml @@ -17,7 +17,7 @@ domains: - "meet.{{ primary_domain }}" csp: flags: - script-src: + script-src-elem: unsafe-inline: true style-src: unsafe-inline: true \ No newline at end of file diff --git a/roles/docker-discourse/vars/configuration.yml b/roles/docker-discourse/vars/configuration.yml index 22b26e97..c5b19c84 100644 --- a/roles/docker-discourse/vars/configuration.yml +++ b/roles/docker-discourse/vars/configuration.yml @@ -12,7 +12,7 @@ csp: flags: style-src: unsafe-inline: true - script-src: + script-src-elem: unsafe-inline: true whitelist: font-src: diff --git a/roles/docker-espocrm/vars/configuration.yml b/roles/docker-espocrm/vars/configuration.yml index 6c1eca56..519b62a5 100644 --- a/roles/docker-espocrm/vars/configuration.yml +++ b/roles/docker-espocrm/vars/configuration.yml @@ -15,7 +15,7 @@ features: central_database: true csp: flags: - script-src: + script-src-elem: unsafe-inline: true unsafe-eval: true style-src: diff --git a/roles/docker-gitea/vars/configuration.yml b/roles/docker-gitea/vars/configuration.yml index b288fd78..df1185e1 100644 --- a/roles/docker-gitea/vars/configuration.yml +++ b/roles/docker-gitea/vars/configuration.yml @@ -12,7 +12,7 @@ features: central_database: true csp: flags: - script-src: + script-src-elem: unsafe-inline: true style-src: unsafe-inline: true diff --git a/roles/docker-keycloak/vars/configuration.yml b/roles/docker-keycloak/vars/configuration.yml index 48d8fe17..f7ba8658 100644 --- a/roles/docker-keycloak/vars/configuration.yml +++ b/roles/docker-keycloak/vars/configuration.yml @@ -14,7 +14,7 @@ features: recaptcha: true csp: flags: - script-src: + script-src-elem: unsafe-inline: true style-src: unsafe-inline: true diff --git a/roles/docker-lam/vars/configuration.yml b/roles/docker-lam/vars/configuration.yml index dedb99b8..2a60ceb4 100644 --- a/roles/docker-lam/vars/configuration.yml +++ b/roles/docker-lam/vars/configuration.yml @@ -15,7 +15,7 @@ csp: flags: style-src: unsafe-inline: true - script-src: + script-src-elem: unsafe-inline: true unsafe-eval: true domains: diff --git a/roles/docker-listmonk/vars/configuration.yml b/roles/docker-listmonk/vars/configuration.yml index 0c2f382d..75510c48 100644 --- a/roles/docker-listmonk/vars/configuration.yml +++ b/roles/docker-listmonk/vars/configuration.yml @@ -7,7 +7,7 @@ public_api_activated: False # Security hol version: "latest" # Docker Image version features: matomo: true - css: true + css: false portfolio_iframe: true central_database: true oidc: true diff --git a/roles/docker-mailu/vars/configuration.yml b/roles/docker-mailu/vars/configuration.yml index 8f102b4d..5145fe8b 100644 --- a/roles/docker-mailu/vars/configuration.yml +++ b/roles/docker-mailu/vars/configuration.yml @@ -16,8 +16,9 @@ features: domains: canonical: - "mail.{{ primary_domain }}" -flags: - style-src: - unsafe-inline: true - script-src: - unsafe-inline: true \ No newline at end of file +csp: + flags: + style-src: + unsafe-inline: true + script-src-elem: + unsafe-inline: true \ No newline at end of file diff --git a/roles/docker-matomo/vars/configuration.yml b/roles/docker-matomo/vars/configuration.yml index 2e3483a5..800efb36 100644 --- a/roles/docker-matomo/vars/configuration.yml +++ b/roles/docker-matomo/vars/configuration.yml @@ -8,12 +8,12 @@ features: oauth2: false csp: whitelist: - script-src: + script-src-elem: - https://cdn.matomo.cloud style-src: - https://fonts.googleapis.com flags: - script-src: + script-src-elem: unsafe-inline: true unsafe-eval: true style-src: diff --git a/roles/docker-matrix/vars/configuration.yml b/roles/docker-matrix/vars/configuration.yml index 5d48607b..2d049206 100644 --- a/roles/docker-matrix/vars/configuration.yml +++ b/roles/docker-matrix/vars/configuration.yml @@ -20,7 +20,7 @@ features: central_database: true csp: flags: - script-src: + script-src-elem: unsafe-inline: true unsafe-eval: true style-src: @@ -29,7 +29,7 @@ csp: connect-src: - "{{ primary_domain }}" - "matrix.{{ primary_domain }}" - script-src: + script-src-elem: - "element.{{ primary_domain }}" - "https://cdn.jsdelivr.net" plugins: diff --git a/roles/docker-moodle/vars/configuration.yml b/roles/docker-moodle/vars/configuration.yml index 43f675af..9bbac8fe 100644 --- a/roles/docker-moodle/vars/configuration.yml +++ b/roles/docker-moodle/vars/configuration.yml @@ -12,7 +12,7 @@ features: oidc: false csp: flags: - script-src: + script-src-elem: unsafe-inline: true unsafe-eval: true style-src: @@ -21,7 +21,7 @@ csp: font-src: - "data:" - "blob:" - script-src: + script-src-elem: - "https://cdn.jsdelivr.net" domains: canonical: diff --git a/roles/docker-nextcloud/Update.md b/roles/docker-nextcloud/Update.md new file mode 100644 index 00000000..946f55ca --- /dev/null +++ b/roles/docker-nextcloud/Update.md @@ -0,0 +1,13 @@ +# Update Nextcloud (manuel) + +To perform a manuel Nexcloud update execute: + +```bash +docker-compose exec -T -u www-data application /var/www/html/occ upgrade +docker-compose exec -T -u www-data application /var/www/html/occ maintenance:repair --include-expensive +docker-compose exec -T -u www-data application /var/www/html/occ app:update --all +docker-compose exec -T -u www-data application /var/www/html/occ db:add-missing-columns +docker-compose exec -T -u www-data application /var/www/html/occ db:add-missing-indices +docker-compose exec -T -u www-data application /var/www/html/occ db:add-missing-primary-keys +docker-compose exec -T -u www-data application /var/www/html/occ maintenance:mode --off +``` \ No newline at end of file diff --git a/roles/docker-nextcloud/vars/configuration.yml b/roles/docker-nextcloud/vars/configuration.yml index f3477c44..90ad5606 100644 --- a/roles/docker-nextcloud/vars/configuration.yml +++ b/roles/docker-nextcloud/vars/configuration.yml @@ -3,7 +3,7 @@ csp: flags: style-src: unsafe-inline: true - script-src: + script-src-elem: unsafe-inline: true whitelist: font-src: diff --git a/roles/docker-openproject/vars/configuration.yml b/roles/docker-openproject/vars/configuration.yml index 1cdca664..2eb10329 100644 --- a/roles/docker-openproject/vars/configuration.yml +++ b/roles/docker-openproject/vars/configuration.yml @@ -15,7 +15,7 @@ features: oauth2: true csp: flags: - script-src: + script-src-elem: unsafe-inline: true style-src: unsafe-inline: true diff --git a/roles/docker-peertube/vars/configuration.yml b/roles/docker-peertube/vars/configuration.yml index f2251658..6709595b 100644 --- a/roles/docker-peertube/vars/configuration.yml +++ b/roles/docker-peertube/vars/configuration.yml @@ -7,7 +7,7 @@ features: oidc: true csp: flags: - script-src: + script-src-elem: unsafe-inline: true style-src: unsafe-inline: true diff --git a/roles/docker-pgadmin/vars/configuration.yml b/roles/docker-pgadmin/vars/configuration.yml index 57c3d5b9..0b60aa90 100644 --- a/roles/docker-pgadmin/vars/configuration.yml +++ b/roles/docker-pgadmin/vars/configuration.yml @@ -17,7 +17,7 @@ csp: flags: style-src: unsafe-inline: true - script-src: + script-src-elem: unsafe-inline: true whitelist: font-src: diff --git a/roles/docker-phpmyadmin/vars/configuration.yml b/roles/docker-phpmyadmin/vars/configuration.yml index 05ad7e48..e5b6fcd5 100644 --- a/roles/docker-phpmyadmin/vars/configuration.yml +++ b/roles/docker-phpmyadmin/vars/configuration.yml @@ -14,7 +14,7 @@ csp: flags: style-src: unsafe-inline: true - script-src: + script-src-elem: unsafe-inline: true domains: aliases: diff --git a/roles/docker-pixelfed/vars/configuration.yml b/roles/docker-pixelfed/vars/configuration.yml index a0523ae8..52e26c38 100644 --- a/roles/docker-pixelfed/vars/configuration.yml +++ b/roles/docker-pixelfed/vars/configuration.yml @@ -7,7 +7,7 @@ features: central_database: true csp: flags: - script-src: + script-src-elem: unsafe-inline: true unsafe-eval: true style-src: diff --git a/roles/docker-portfolio/vars/configuration.yml b/roles/docker-portfolio/vars/configuration.yml index 7fdbc4ce..09ac4743 100644 --- a/roles/docker-portfolio/vars/configuration.yml +++ b/roles/docker-portfolio/vars/configuration.yml @@ -4,7 +4,7 @@ features: portfolio_iframe: false csp: whitelist: - script-src: + script-src-elem: - https://cdn.jsdelivr.net - https://kit.fontawesome.com style-src: @@ -19,7 +19,7 @@ csp: flags: style-src: unsafe-inline: true - script-src: + script-src-elem: unsafe-inline: true domains: canonical: diff --git a/roles/docker-presentation/vars/configuration.yml b/roles/docker-presentation/vars/configuration.yml index 99e0df89..7611c8b8 100644 --- a/roles/docker-presentation/vars/configuration.yml +++ b/roles/docker-presentation/vars/configuration.yml @@ -5,7 +5,7 @@ features: csp: whitelist: - script-src: + script-src-elem: - https://cdnjs.cloudflare.com - https://code.jquery.com - https://cdn.jsdelivr.net @@ -17,7 +17,7 @@ csp: flags: style-src: unsafe-inline: true - script-src: + script-src-elem: unsafe-eval: true domains: canonical: diff --git a/roles/docker-snipe-it/vars/configuration.yml b/roles/docker-snipe-it/vars/configuration.yml index 772629ca..87f103d0 100644 --- a/roles/docker-snipe-it/vars/configuration.yml +++ b/roles/docker-snipe-it/vars/configuration.yml @@ -9,7 +9,7 @@ domains: - "inventory.{{ primary_domain }}" csp: flags: - script-src: + script-src-elem: unsafe-inline: true style-src: unsafe-inline: true diff --git a/roles/docker-sphinx/vars/configuration.yml b/roles/docker-sphinx/vars/configuration.yml index 90bca16c..d62a04e3 100644 --- a/roles/docker-sphinx/vars/configuration.yml +++ b/roles/docker-sphinx/vars/configuration.yml @@ -4,7 +4,7 @@ features: portfolio_iframe: false csp: flags: - script-src: + script-src-elem: unsafe-inline: true unsafe-eval: true style-src: diff --git a/roles/docker-taiga/vars/configuration.yml b/roles/docker-taiga/vars/configuration.yml index bbe195a3..26801aa2 100644 --- a/roles/docker-taiga/vars/configuration.yml +++ b/roles/docker-taiga/vars/configuration.yml @@ -15,7 +15,7 @@ features: csp: flags: - script-src: + script-src-elem: unsafe-inline: true unsafe-eval: true style-src: diff --git a/roles/docker-wordpress/vars/configuration.yml b/roles/docker-wordpress/vars/configuration.yml index 0fe513d9..edf8eabe 100644 --- a/roles/docker-wordpress/vars/configuration.yml +++ b/roles/docker-wordpress/vars/configuration.yml @@ -20,7 +20,7 @@ csp: flags: style-src: unsafe-inline: true - script-src: + script-src-elem: unsafe-inline: true unsafe-eval: true whitelist: @@ -29,7 +29,7 @@ csp: font-src: - "data:" - "https://fonts.bunny.net" - script-src: + script-src-elem: - "https://cdn.gtranslate.net" - "blog.{{ primary_domain }}" style-src: diff --git a/tests/integration/test_csp_configuration_consistency.py b/tests/integration/test_csp_configuration_consistency.py index 253c9079..24b729c7 100644 --- a/tests/integration/test_csp_configuration_consistency.py +++ b/tests/integration/test_csp_configuration_consistency.py @@ -10,6 +10,7 @@ class TestCspConfigurationConsistency(unittest.TestCase): 'frame-ancestors', 'frame-src', 'script-src', + 'script-src-elem', 'style-src', 'font-src', 'worker-src', diff --git a/tests/unit/test_csp_filters.py b/tests/unit/test_csp_filters.py index 1ab35cc7..a12cf787 100644 --- a/tests/unit/test_csp_filters.py +++ b/tests/unit/test_csp_filters.py @@ -24,7 +24,7 @@ class TestCspFilters(unittest.TestCase): }, 'csp': { 'whitelist': { - 'script-src': ['https://cdn.example.com'], + 'script-src-elem': ['https://cdn.example.com'], 'connect-src': 'https://api.example.com', }, 'flags': { @@ -53,7 +53,7 @@ class TestCspFilters(unittest.TestCase): } def test_get_csp_whitelist_list(self): - result = self.filter.get_csp_whitelist(self.apps, 'app1', 'script-src') + result = self.filter.get_csp_whitelist(self.apps, 'app1', 'script-src-elem') self.assertEqual(result, ['https://cdn.example.com']) def test_get_csp_whitelist_string(self): @@ -84,7 +84,11 @@ class TestCspFilters(unittest.TestCase): self.assertIn("default-src 'self';", header) # script-src directive should include unsafe-eval, Matomo domain and CDN (hash may follow) self.assertIn( - "script-src 'self' 'unsafe-eval' https://matomo.example.org https://cdn.example.com", + "script-src-elem 'self' https://matomo.example.org https://cdn.example.com", + header + ) + self.assertIn( + "script-src 'self' 'unsafe-eval'", header ) # connect-src directive unchanged (no inline hash)