From ae908b45976e06883be651876d2bb611044029a0 Mon Sep 17 00:00:00 2001
From: bogdanovic <ianbogda+github@gmail.com>
Date: Sat, 1 Apr 2017 23:35:20 +0200
Subject: [PATCH] review fix #26 and #18

Hye @JimboJoe,
after more investigations, rules from nextCloud and tests :)
L23```more_set_headers Content-Security-Policy "default-src  data:;";```
is enough due to **/ynhpanel.css** where yunohost image tile and fonts
are **data:base64**.

There is no SP leaks in this case.

I'll send rectification in this way.
---
 conf/nginx.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/conf/nginx.conf b/conf/nginx.conf
index f32af6b..ed7c0bf 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -20,7 +20,8 @@ location ^~ #LOCATION# {
   add_header X-Robots-Tag none;
   add_header X-Download-Options noopen;
   add_header X-Permitted-Cross-Domain-Policies none;
-  more_set_headers Content-Security-Policy "default-src 'self' 'unsafe-eval' data:;";
+  # Add data: to allow /ynhpanel.css to be load due to image on data:base64
+  more_set_headers Content-Security-Policy "default-src data:;";
 
   # Set max upload size
   client_max_body_size 10G;
@@ -83,7 +84,6 @@ location ^~ #LOCATION# {
     add_header X-Robots-Tag none;
     add_header X-Download-Options noopen;
     add_header X-Permitted-Cross-Domain-Policies none;
-    more_set_headers Content-Security-Policy "default-src 'self' 'unsafe-eval' data:;";
     # Optional: Don't log access to assets
     access_log off;
   }