kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-05-09 14:55:44 +02:00
Code Issues Packages Projects Releases Wiki Activity
computer-playbook/roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2

53 lines
2.7 KiB
Django/Jinja
Raw Blame History

{%- set csp_parts = [] %}
{# default-src: Fallback for all other directives if not explicitly defined #}
{%- set csp_parts = csp_parts + ["default-src 'self';"] %}
{# connect-src: Controls where fetch(), XHR, WebSocket etc. can connect to #}
{%- set connect_src = "connect-src 'self' https://ka-f.fontawesome.com" %}
{%- if applications | is_feature_enabled('matomo', application_id) | bool %}
{%- set connect_src = connect_src + " " + web_protocol + "://" + domains.matomo %}
{%- endif %}
{%- set csp_parts = csp_parts + [connect_src + ";"] %}
{# frame-ancestors: Restricts which origins can embed this site in a frame or iframe #}
{%- set frame_ancestors = "frame-ancestors 'self'" %}
{%- if applications | is_feature_enabled('iframe', application_id) | bool %}
{%- set frame_ancestors = frame_ancestors + " " + web_protocol + "://" + primary_domain %}
{%- endif %}
{%- set csp_parts = csp_parts + [frame_ancestors + ";"] %}
{# frame-src: Controls which URLs can be embedded as iframes #}
{%- set frame_src = "frame-src 'self'" %}
{%- if applications | is_feature_enabled('recaptcha', application_id) | bool %}
{%- set frame_src = frame_src + " https://www.google.com" %}
{%- endif %}
{%- set csp_parts = csp_parts + [frame_src + ";"] %}
{# img-src: Allow images. Prevent tracking by caching on server and client side. #}
{%- set img_src = "img-src * data: blob:"%}
{%- set csp_parts = csp_parts + [img_src + ";"] %}
{# script-src: Allow JavaScript from self, FontAwesome, jsDelivr, and Matomo if enabled #}
{# unsafe eval is set for sphinx #}
{%- set script_src = "script-src 'self' 'unsafe-eval' 'unsafe-inline'" %}
{%- if applications | is_feature_enabled('matomo', application_id) | bool %}
{%- set script_src = script_src + " " + web_protocol + "://" + domains.matomo %}
{%- endif %}
{%- if applications | is_feature_enabled('recaptcha', application_id) | bool %}
{%- set script_src = script_src + " https://www.google.com" %}
{%- endif %}
{%- set script_src = script_src + " https://kit.fontawesome.com https://cdn.jsdelivr.net" %}
{%- set csp_parts = csp_parts + [script_src + ";"] %}
{# style-src: Allow CSS from self, FontAwesome, jsDelivr and inline styles #}
{%- set style_src = "style-src 'self' 'unsafe-inline' https://kit.fontawesome.com https://cdn.jsdelivr.net" %}
{%- set csp_parts = csp_parts + [style_src + ";"] %}
{# font-src: Allow font-src from self, FontAwesome, jsDelivr and inline styles #}
{%- set font_src = "font-src 'self' https://kit.fontawesome.com https://cdn.jsdelivr.net" %}
{%- set csp_parts = csp_parts + [font_src + ";"] %}
add_header Content-Security-Policy "{{ csp_parts | join(' ') }}" always;
# Oppress header send by proxied application
proxy_hide_header Content-Security-Policy;
Reference in New Issue View Git Blame Copy Permalink