kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-11-02 11:18:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
57d5269b07b8a21b200780dcd374247d425f78fa
computer-playbook/templates/roles/web-app/config/main.yml.j2
Kevin Veen-Birkenbach 57d5269b07 CSP (Safari-safe): merge -elem/-attr into base; respect explicit disables; no mirror-back; header only for documents/workers 
- Add CSP3 support for style/script: include -elem and -attr directives
- Base (style-src, script-src) now unions elem/attr (CSP2/Safari fallback)
- Respect explicit base disables (e.g. style-src.unsafe-inline: false)
- Hashes only when 'unsafe-inline' absent in the final base tokens
- Nginx: set CSP only for HTML/worker via header_filter_by_lua_block; drop for subresources
- Remove per-location header_filter; keep body_filter only
- Update app role flags to *-attr where appropriate; extend desktop CSS sources
- Add comprehensive unit tests for union/explicit-disable/no-mirror-back

Ref: https://chatgpt.com/share/68f87a0a-cebc-800f-bb3e-8c8ab4dee8ee
2025-10-22 13:53:06 +02:00

48 lines
2.1 KiB
Django/Jinja
Raw Blame History

credentials: {}
docker:
services:
redis:
enabled: false # Enable Redis
database:
enabled: false # Enable the database
{{ application_id | get_entity_name }}:
backup:
no_stop_required: true # The images that don't need to stop
disabled: true # Disables the image
database_routine: true # Instead of copying a database routine will be triggered for this container
image: "" # The docker image of the software you want to use
version: "latest" # The docker version of the software you want to use
container: "{{ application_id | get_entity_name }}" # The container name
volumes:
data: "{{ application_id | get_entity_name }}_data"
features:
matomo: true # Enable Matomo Tracking
css: true # Enable Global CSS Styling
desktop: true # Enable loading of app in iframe
ldap: false # Enable LDAP Network
central_database: false # Enable Central Database Network
recaptcha: false # Enable ReCaptcha
oauth2: false # Enable the OAuth2-Proy
javascript: false # Enable the custom JS in the javascript.js.j2 file
logout: true # Enable the logout via the central logout mechanism (deleting all cookies)
server:
csp:
whitelist: # URL's which should be whitelisted
script-src-elem: []
style-src-attr: []
font-src: []
connect-src: []
frame-src: []
flags: # Flags which should be set
style-src-attr:
unsafe-inline: false
script-src-attr:
unsafe-inline: false
script-src-elem:
unsafe-inline: false
domains:
canonical: {} # Urls under which the domain should be directly accessible
aliases: [] # Alias redirections to the first element of the canonical domains
rbac:
roles: {}
Reference in New Issue View Git Blame Copy Permalink