Optimized CSP rules

2025-08-29 15:06:26 +02:00 · 2025-06-03 14:32:15 +02:00
parent cc9b634bb8
commit ebd74db3c4
27 changed files with 57 additions and 39 deletions
--- a/roles/docker-bigbluebutton/vars/configuration.yml
+++ b/roles/docker-bigbluebutton/vars/configuration.yml
@@ -17,7 +17,7 @@ domains:
    - "meet.{{ primary_domain }}"
 csp:  
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline:  true
    style-src:
      unsafe-inline:  true
--- a/roles/docker-discourse/vars/configuration.yml
+++ b/roles/docker-discourse/vars/configuration.yml
@@ -12,7 +12,7 @@ csp:
  flags:
    style-src:
      unsafe-inline: true
-    script-src:
+    script-src-elem:
      unsafe-inline: true
  whitelist:
    font-src:
--- a/roles/docker-espocrm/vars/configuration.yml
+++ b/roles/docker-espocrm/vars/configuration.yml
@@ -15,7 +15,7 @@ features:
  central_database:   true
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline:  true
      unsafe-eval:    true
    style-src:
--- a/roles/docker-gitea/vars/configuration.yml
+++ b/roles/docker-gitea/vars/configuration.yml
@@ -12,7 +12,7 @@ features:
  central_database:               true
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline:              true
    style-src:
      unsafe-inline:              true
--- a/roles/docker-keycloak/vars/configuration.yml
+++ b/roles/docker-keycloak/vars/configuration.yml
@@ -14,7 +14,7 @@ features:
  recaptcha:          true
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline: true
    style-src:
      unsafe-inline: true
--- a/roles/docker-lam/vars/configuration.yml
+++ b/roles/docker-lam/vars/configuration.yml
@@ -15,7 +15,7 @@ csp:
  flags:
    style-src:
      unsafe-inline:            true
-    script-src:
+    script-src-elem:
      unsafe-inline:            true
      unsafe-eval:              true
 domains:
--- a/roles/docker-listmonk/vars/configuration.yml
+++ b/roles/docker-listmonk/vars/configuration.yml
@@ -7,7 +7,7 @@ public_api_activated:       False                                 # Security hol
 version:                    "latest"                              # Docker Image version
 features:
  matomo:                   true
-  css:                      true
+  css:                      false
  portfolio_iframe:         true
  central_database:         true
  oidc:                     true
--- a/roles/docker-mailu/vars/configuration.yml
+++ b/roles/docker-mailu/vars/configuration.yml
@@ -16,8 +16,9 @@ features:
 domains:
  canonical:
    - "mail.{{ primary_domain }}"
-flags:
-  style-src:
-    unsafe-inline:        true
-  script-src:
-    unsafe-inline:        true
+csp:
+  flags:
+    style-src:
+      unsafe-inline:        true
+    script-src-elem:
+      unsafe-inline:        true
--- a/roles/docker-matomo/vars/configuration.yml
+++ b/roles/docker-matomo/vars/configuration.yml
@@ -8,12 +8,12 @@ features:
  oauth2:             false
 csp:
  whitelist:
-    script-src:
+    script-src-elem:
      - https://cdn.matomo.cloud
    style-src:
      - https://fonts.googleapis.com
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline: true
      unsafe-eval:   true
    style-src:
--- a/roles/docker-matrix/vars/configuration.yml
+++ b/roles/docker-matrix/vars/configuration.yml
@@ -20,7 +20,7 @@ features:
  central_database:   true
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline: true
      unsafe-eval:   true
    style-src:
@@ -29,7 +29,7 @@ csp:
    connect-src:
      - "{{ primary_domain }}"
      - "matrix.{{ primary_domain }}"
-    script-src:
+    script-src-elem:
      - "element.{{ primary_domain }}"
      - "https://cdn.jsdelivr.net"
 plugins:
--- a/roles/docker-moodle/vars/configuration.yml
+++ b/roles/docker-moodle/vars/configuration.yml
@@ -12,7 +12,7 @@ features:
  oidc:               false
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline:  true
      unsafe-eval:    true
    style-src:
@@ -21,7 +21,7 @@ csp:
    font-src:
      - "data:"
      - "blob:"
-    script-src:
+    script-src-elem:
      - "https://cdn.jsdelivr.net"
 domains:
  canonical:
--- a/roles/docker-nextcloud/Update.md
+++ b/roles/docker-nextcloud/Update.md
@@ -0,0 +1,13 @@
+# Update Nextcloud (manuel)
+
+To perform a manuel Nexcloud update execute:
+
+```bash
+docker-compose exec -T -u www-data application /var/www/html/occ upgrade
+docker-compose exec -T -u www-data application /var/www/html/occ maintenance:repair --include-expensive
+docker-compose exec -T -u www-data application /var/www/html/occ app:update --all
+docker-compose exec -T -u www-data application /var/www/html/occ db:add-missing-columns
+docker-compose exec -T -u www-data application /var/www/html/occ db:add-missing-indices
+docker-compose exec -T -u www-data application /var/www/html/occ db:add-missing-primary-keys
+docker-compose exec -T -u www-data application /var/www/html/occ maintenance:mode --off
+```
--- a/roles/docker-nextcloud/vars/configuration.yml
+++ b/roles/docker-nextcloud/vars/configuration.yml
@@ -3,7 +3,7 @@ csp:
  flags:
    style-src:
      unsafe-inline: true
-    script-src:
+    script-src-elem:
      unsafe-inline: true
  whitelist:
    font-src:
--- a/roles/docker-openproject/vars/configuration.yml
+++ b/roles/docker-openproject/vars/configuration.yml
@@ -15,7 +15,7 @@ features:
  oauth2:             true
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline: true
    style-src:
      unsafe-inline: true  
--- a/roles/docker-peertube/vars/configuration.yml
+++ b/roles/docker-peertube/vars/configuration.yml
@@ -7,7 +7,7 @@ features:
  oidc:               true
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline:  true
    style-src:
      unsafe-inline:  true
--- a/roles/docker-pgadmin/vars/configuration.yml
+++ b/roles/docker-pgadmin/vars/configuration.yml
@@ -17,7 +17,7 @@ csp:
  flags:
    style-src:
      unsafe-inline: true
-    script-src:
+    script-src-elem:
      unsafe-inline: true
  whitelist:
    font-src:
--- a/roles/docker-phpmyadmin/vars/configuration.yml
+++ b/roles/docker-phpmyadmin/vars/configuration.yml
@@ -14,7 +14,7 @@ csp:
  flags:
    style-src:
      unsafe-inline: true
-    script-src:
+    script-src-elem:
      unsafe-inline: true
 domains:
  aliases:
--- a/roles/docker-pixelfed/vars/configuration.yml
+++ b/roles/docker-pixelfed/vars/configuration.yml
@@ -7,7 +7,7 @@ features:
  central_database:   true
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline: true
      unsafe-eval:   true
    style-src:
--- a/roles/docker-portfolio/vars/configuration.yml
+++ b/roles/docker-portfolio/vars/configuration.yml
@@ -4,7 +4,7 @@ features:
  portfolio_iframe: false
 csp:
  whitelist:
-    script-src:
+    script-src-elem:
      - https://cdn.jsdelivr.net
      - https://kit.fontawesome.com
    style-src:
@@ -19,7 +19,7 @@ csp:
  flags:
    style-src:
      unsafe-inline: true
-    script-src:
+    script-src-elem:
      unsafe-inline: true
 domains:
  canonical:
--- a/roles/docker-presentation/vars/configuration.yml
+++ b/roles/docker-presentation/vars/configuration.yml
@@ -5,7 +5,7 @@ features:

 csp:
  whitelist:
-    script-src:
+    script-src-elem:
      - https://cdnjs.cloudflare.com
      - https://code.jquery.com
      - https://cdn.jsdelivr.net
@@ -17,7 +17,7 @@ csp:
  flags:
    style-src:
      unsafe-inline: true
-    script-src:
+    script-src-elem:
      unsafe-eval:   true
 domains:
  canonical:
--- a/roles/docker-snipe-it/vars/configuration.yml
+++ b/roles/docker-snipe-it/vars/configuration.yml
@@ -9,7 +9,7 @@ domains:
    - "inventory.{{ primary_domain }}"
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline: true
    style-src:
      unsafe-inline: true
--- a/roles/docker-sphinx/vars/configuration.yml
+++ b/roles/docker-sphinx/vars/configuration.yml
@@ -4,7 +4,7 @@ features:
  portfolio_iframe:   false
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline:  true
      unsafe-eval:    true
    style-src:
--- a/roles/docker-taiga/vars/configuration.yml
+++ b/roles/docker-taiga/vars/configuration.yml
@@ -15,7 +15,7 @@ features:

 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline: true
      unsafe-eval:   true
    style-src:
--- a/roles/docker-wordpress/vars/configuration.yml
+++ b/roles/docker-wordpress/vars/configuration.yml
@@ -20,7 +20,7 @@ csp:
  flags:
    style-src:
      unsafe-inline:  true
-    script-src:
+    script-src-elem:
      unsafe-inline:  true
      unsafe-eval:    true
  whitelist:
@@ -29,7 +29,7 @@ csp:
    font-src:
      - "data:"
      - "https://fonts.bunny.net"
-    script-src:
+    script-src-elem:
      - "https://cdn.gtranslate.net"
      - "blog.{{ primary_domain }}"
    style-src: