Optimized CSP rules

2025-07-17 14:04:24 +02:00 · 2025-06-03 14:32:15 +02:00 · 2025-06-03 14:32:15 +02:00 · ebd74db3c4
commit ebd74db3c4
parent cc9b634bb8
27 changed files with 57 additions and 39 deletions
--- a/filter_plugins/csp_filters.py
+++ b/filter_plugins/csp_filters.py
@ -109,7 +109,7 @@ class FilterModule(object):
                # Matomo integration
                if (
                    self.is_feature_enabled(applications, matomo_feature_name, application_id)
-                    and directive in ['script-src', 'connect-src']
+                    and directive in ['script-src-elem', 'connect-src']
                ):
                    matomo_domain = domains.get('matomo')[0]
                    if matomo_domain:
@ -117,10 +117,9 @@ class FilterModule(object):

                # ReCaptcha integration: allow loading scripts from Google if feature enabled
                if self.is_feature_enabled(applications, 'recaptcha', application_id):
-                    if directive == 'script-src':
-                        tokens.append('https://www.google.com')
                    if directive == 'script-src-elem':
                        tokens.append('https://www.gstatic.com')
+                        tokens.append('https://www.google.com')

                # Enable loading via ancestors
                if (
--- a/roles/docker-bigbluebutton/vars/configuration.yml
+++ b/roles/docker-bigbluebutton/vars/configuration.yml
@ -17,7 +17,7 @@ domains:
    - "meet.{{ primary_domain }}"
 csp:  
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline:  true
    style-src:
      unsafe-inline:  true
--- a/roles/docker-discourse/vars/configuration.yml
+++ b/roles/docker-discourse/vars/configuration.yml
@ -12,7 +12,7 @@ csp:
  flags:
    style-src:
      unsafe-inline: true
-    script-src:
+    script-src-elem:
      unsafe-inline: true
  whitelist:
    font-src:
--- a/roles/docker-espocrm/vars/configuration.yml
+++ b/roles/docker-espocrm/vars/configuration.yml
@ -15,7 +15,7 @@ features:
  central_database:   true
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline:  true
      unsafe-eval:    true
    style-src:
--- a/roles/docker-gitea/vars/configuration.yml
+++ b/roles/docker-gitea/vars/configuration.yml
@ -12,7 +12,7 @@ features:
  central_database:               true
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline:              true
    style-src:
      unsafe-inline:              true
--- a/roles/docker-keycloak/vars/configuration.yml
+++ b/roles/docker-keycloak/vars/configuration.yml
@ -14,7 +14,7 @@ features:
  recaptcha:          true
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline: true
    style-src:
      unsafe-inline: true
--- a/roles/docker-lam/vars/configuration.yml
+++ b/roles/docker-lam/vars/configuration.yml
@ -15,7 +15,7 @@ csp:
  flags:
    style-src:
      unsafe-inline:            true
-    script-src:
+    script-src-elem:
      unsafe-inline:            true
      unsafe-eval:              true
 domains:
--- a/roles/docker-listmonk/vars/configuration.yml
+++ b/roles/docker-listmonk/vars/configuration.yml
@ -7,7 +7,7 @@ public_api_activated:       False                                 # Security hol
 version:                    "latest"                              # Docker Image version
 features:
  matomo:                   true
-  css:                      true
+  css:                      false
  portfolio_iframe:         true
  central_database:         true
  oidc:                     true
--- a/roles/docker-mailu/vars/configuration.yml
+++ b/roles/docker-mailu/vars/configuration.yml
@ -16,8 +16,9 @@ features:
 domains:
  canonical:
    - "mail.{{ primary_domain }}"
-flags:
-  style-src:
-    unsafe-inline:        true
-  script-src:
-    unsafe-inline:        true
+csp:
+  flags:
+    style-src:
+      unsafe-inline:        true
+    script-src-elem:
+      unsafe-inline:        true
--- a/roles/docker-matomo/vars/configuration.yml
+++ b/roles/docker-matomo/vars/configuration.yml
@ -8,12 +8,12 @@ features:
  oauth2:             false
 csp:
  whitelist:
-    script-src:
+    script-src-elem:
      - https://cdn.matomo.cloud
    style-src:
      - https://fonts.googleapis.com
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline: true
      unsafe-eval:   true
    style-src:
--- a/roles/docker-matrix/vars/configuration.yml
+++ b/roles/docker-matrix/vars/configuration.yml
@ -20,7 +20,7 @@ features:
  central_database:   true
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline: true
      unsafe-eval:   true
    style-src:
@ -29,7 +29,7 @@ csp:
    connect-src:
      - "{{ primary_domain }}"
      - "matrix.{{ primary_domain }}"
-    script-src:
+    script-src-elem:
      - "element.{{ primary_domain }}"
      - "https://cdn.jsdelivr.net"
 plugins:
--- a/roles/docker-moodle/vars/configuration.yml
+++ b/roles/docker-moodle/vars/configuration.yml
@ -12,7 +12,7 @@ features:
  oidc:               false
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline:  true
      unsafe-eval:    true
    style-src:
@ -21,7 +21,7 @@ csp:
    font-src:
      - "data:"
      - "blob:"
-    script-src:
+    script-src-elem:
      - "https://cdn.jsdelivr.net"
 domains:
  canonical:
--- a/roles/docker-nextcloud/Update.md
+++ b/roles/docker-nextcloud/Update.md
@ -0,0 +1,13 @@
+# Update Nextcloud (manuel)
+
+To perform a manuel Nexcloud update execute:
+
+```bash
+docker-compose exec -T -u www-data application /var/www/html/occ upgrade
+docker-compose exec -T -u www-data application /var/www/html/occ maintenance:repair --include-expensive
+docker-compose exec -T -u www-data application /var/www/html/occ app:update --all
+docker-compose exec -T -u www-data application /var/www/html/occ db:add-missing-columns
+docker-compose exec -T -u www-data application /var/www/html/occ db:add-missing-indices
+docker-compose exec -T -u www-data application /var/www/html/occ db:add-missing-primary-keys
+docker-compose exec -T -u www-data application /var/www/html/occ maintenance:mode --off
+```
--- a/roles/docker-nextcloud/vars/configuration.yml
+++ b/roles/docker-nextcloud/vars/configuration.yml
@ -3,7 +3,7 @@ csp:
  flags:
    style-src:
      unsafe-inline: true
-    script-src:
+    script-src-elem:
      unsafe-inline: true
  whitelist:
    font-src:
--- a/roles/docker-openproject/vars/configuration.yml
+++ b/roles/docker-openproject/vars/configuration.yml
@ -15,7 +15,7 @@ features:
  oauth2:             true
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline: true
    style-src:
      unsafe-inline: true  
--- a/roles/docker-peertube/vars/configuration.yml
+++ b/roles/docker-peertube/vars/configuration.yml
@ -7,7 +7,7 @@ features:
  oidc:               true
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline:  true
    style-src:
      unsafe-inline:  true
--- a/roles/docker-pgadmin/vars/configuration.yml
+++ b/roles/docker-pgadmin/vars/configuration.yml
@ -17,7 +17,7 @@ csp:
  flags:
    style-src:
      unsafe-inline: true
-    script-src:
+    script-src-elem:
      unsafe-inline: true
  whitelist:
    font-src:
--- a/roles/docker-phpmyadmin/vars/configuration.yml
+++ b/roles/docker-phpmyadmin/vars/configuration.yml
@ -14,7 +14,7 @@ csp:
  flags:
    style-src:
      unsafe-inline: true
-    script-src:
+    script-src-elem:
      unsafe-inline: true
 domains:
  aliases:
--- a/roles/docker-pixelfed/vars/configuration.yml
+++ b/roles/docker-pixelfed/vars/configuration.yml
@ -7,7 +7,7 @@ features:
  central_database:   true
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline: true
      unsafe-eval:   true
    style-src:
--- a/roles/docker-portfolio/vars/configuration.yml
+++ b/roles/docker-portfolio/vars/configuration.yml
@ -4,7 +4,7 @@ features:
  portfolio_iframe: false
 csp:
  whitelist:
-    script-src:
+    script-src-elem:
      - https://cdn.jsdelivr.net
      - https://kit.fontawesome.com
    style-src:
@ -19,7 +19,7 @@ csp:
  flags:
    style-src:
      unsafe-inline: true
-    script-src:
+    script-src-elem:
      unsafe-inline: true
 domains:
  canonical:
--- a/roles/docker-presentation/vars/configuration.yml
+++ b/roles/docker-presentation/vars/configuration.yml
@ -5,7 +5,7 @@ features:

 csp:
  whitelist:
-    script-src:
+    script-src-elem:
      - https://cdnjs.cloudflare.com
      - https://code.jquery.com
      - https://cdn.jsdelivr.net
@ -17,7 +17,7 @@ csp:
  flags:
    style-src:
      unsafe-inline: true
-    script-src:
+    script-src-elem:
      unsafe-eval:   true
 domains:
  canonical:
--- a/roles/docker-snipe-it/vars/configuration.yml
+++ b/roles/docker-snipe-it/vars/configuration.yml
@ -9,7 +9,7 @@ domains:
    - "inventory.{{ primary_domain }}"
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline: true
    style-src:
      unsafe-inline: true
--- a/roles/docker-sphinx/vars/configuration.yml
+++ b/roles/docker-sphinx/vars/configuration.yml
@ -4,7 +4,7 @@ features:
  portfolio_iframe:   false
 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline:  true
      unsafe-eval:    true
    style-src:
--- a/roles/docker-taiga/vars/configuration.yml
+++ b/roles/docker-taiga/vars/configuration.yml
@ -15,7 +15,7 @@ features:

 csp:
  flags:
-    script-src:
+    script-src-elem:
      unsafe-inline: true
      unsafe-eval:   true
    style-src:
--- a/roles/docker-wordpress/vars/configuration.yml
+++ b/roles/docker-wordpress/vars/configuration.yml
@ -20,7 +20,7 @@ csp:
  flags:
    style-src:
      unsafe-inline:  true
-    script-src:
+    script-src-elem:
      unsafe-inline:  true
      unsafe-eval:    true
  whitelist:
@ -29,7 +29,7 @@ csp:
    font-src:
      - "data:"
      - "https://fonts.bunny.net"
-    script-src:
+    script-src-elem:
      - "https://cdn.gtranslate.net"
      - "blog.{{ primary_domain }}"
    style-src:
--- a/tests/integration/test_csp_configuration_consistency.py
+++ b/tests/integration/test_csp_configuration_consistency.py
@ -10,6 +10,7 @@ class TestCspConfigurationConsistency(unittest.TestCase):
        'frame-ancestors',
        'frame-src',
        'script-src',
+        'script-src-elem',
        'style-src',
        'font-src',
        'worker-src',
--- a/tests/unit/test_csp_filters.py
+++ b/tests/unit/test_csp_filters.py
@ -24,7 +24,7 @@ class TestCspFilters(unittest.TestCase):
                },
                'csp': {
                    'whitelist': {
-                        'script-src': ['https://cdn.example.com'],
+                        'script-src-elem': ['https://cdn.example.com'],
                        'connect-src': 'https://api.example.com',
                    },
                    'flags': {
@ -53,7 +53,7 @@ class TestCspFilters(unittest.TestCase):
        }

    def test_get_csp_whitelist_list(self):
-        result = self.filter.get_csp_whitelist(self.apps, 'app1', 'script-src')
+        result = self.filter.get_csp_whitelist(self.apps, 'app1', 'script-src-elem')
        self.assertEqual(result, ['https://cdn.example.com'])

    def test_get_csp_whitelist_string(self):
@ -84,7 +84,11 @@ class TestCspFilters(unittest.TestCase):
        self.assertIn("default-src 'self';", header)
        # script-src directive should include unsafe-eval, Matomo domain and CDN (hash may follow)
        self.assertIn(
-            "script-src 'self' 'unsafe-eval' https://matomo.example.org https://cdn.example.com",
+            "script-src-elem 'self' https://matomo.example.org https://cdn.example.com",
+            header
+        )
+        self.assertIn(
+            "script-src 'self' 'unsafe-eval'",
            header
        )
        # connect-src directive unchanged (no inline hash)