Solved CSP bugs for echoserver

Deactivated CSS for open project temporary
Solved peertube CSP bug
2025-06-24 19:25:32 +02:00 · 2025-06-10 18:25:39 +02:00 · 2025-06-10 14:02:12 +02:00 · 2025-06-10 13:41:32 +02:00
7 changed files with 12 additions and 3 deletions
--- a/filter_plugins/csp_filters.py
+++ b/filter_plugins/csp_filters.py
@ -128,7 +128,7 @@ class FilterModule(object):
                ):
                    domain = domains.get('portfolio')[0]
                    sld_tld = ".".join(domain.split(".")[-2:])  # yields "example.com"
-                    tokens.append(f"{sld_tld}")               # yields "*.example.com"
+                    tokens.append(f"{sld_tld}")                 # yields "*.example.com"

                # whitelist
                tokens += self.get_csp_whitelist(applications, application_id, directive)
--- a/roles/docker-espocrm/vars/configuration.yml
+++ b/roles/docker-espocrm/vars/configuration.yml
@ -20,6 +20,8 @@ csp:
      unsafe-eval:    true
    style-src:
      unsafe-inline:  true
+    script-src:
+      unsafe-eval:    true
  whitelist:
    connect-src:
      - wss://espocrm.{{ primary_domain }}
--- a/roles/docker-matomo/vars/configuration.yml
+++ b/roles/docker-matomo/vars/configuration.yml
@ -13,11 +13,14 @@ csp:
    style-src:
      - https://fonts.googleapis.com
  flags:
+    script-src:
+      unsafe-eval:   true
    script-src-elem:
      unsafe-inline: true
      unsafe-eval:   true
    style-src:
      unsafe-inline: true
+      unsafe-eval:   true
 domains:
  aliases:
    - "analytics.{{ primary_domain }}"
--- a/roles/docker-openproject/vars/configuration.yml
+++ b/roles/docker-openproject/vars/configuration.yml
@ -8,7 +8,7 @@ ldap:
    users:            False   # Set true to filter users
 features:
  matomo:             true
-  css:                true
+  css:                false   # Temporary deactivated. Needs to be optimized for production use.
  portfolio_iframe:   false
  ldap:               true
  central_database:   true
--- a/roles/docker-peertube/vars/configuration.yml
+++ b/roles/docker-peertube/vars/configuration.yml
@ -9,6 +9,8 @@ csp:
  flags:
    script-src-elem:
      unsafe-inline:  true
+    script-src:
+      unsafe-inline:  true
    style-src:
      unsafe-inline:  true
  whitelist:
--- a/roles/docker-sphinx/vars/configuration.yml
+++ b/roles/docker-sphinx/vars/configuration.yml
@ -4,6 +4,8 @@ features:
  portfolio_iframe:   false
 csp:
  flags:
+    script-src:
+      unsafe-eval:    true
    script-src-elem:
      unsafe-inline:  true
      unsafe-eval:    true
--- a/roles/nginx-modifier-matomo/tasks/main.yml
+++ b/roles/nginx-modifier-matomo/tasks/main.yml
@ -77,7 +77,7 @@
            (application_id): {
              'csp': {
                'hashes': {
-                  'script-src': (
+                  'script-src-elem': (
                    applications[application_id]['csp']['hashes'].get('script-src', [])
                    + [ matomo_tracking_code_one_liner ]
                  )
Author	SHA1	Message	Date
Kevin Veen-Birkenbach	2541cc1c91	Solved CSP bugs for echoserver	2025-06-10 18:25:39 +02:00
Kevin Veen-Birkenbach	90e9e00205	Deactivated CSS for open project temporary	2025-06-10 14:02:12 +02:00
Kevin Veen-Birkenbach	04e07b072d	Solved peertube CSP bug	2025-06-10 13:41:32 +02:00