YunoHost-Apps/nextcloud_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/nextcloud_ynh.git synced 2024-09-03 19:55:57 +02:00
Code Issues Activity Actions

review fix #26 and #18

Browse source 
Hye @JimboJoe,
after more investigations, rules from nextCloud and tests :)
L23```more_set_headers Content-Security-Policy "default-src  data:;";```
is enough due to **/ynhpanel.css** where yunohost image tile and fonts
are **data:base64**.

There is no SP leaks in this case.

I'll send rectification in this way.
This commit is contained in:
bogdanovic 2017-04-01 23:35:20 +02:00
parent a7fa165643
commit ae908b4597
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
conf/nginx.conf
View file

@ -20,7 +20,8 @@ location ^~ #LOCATION# {
add_header X-Robots-Tag none; add_header X-Robots-Tag none;
add_header X-Download-Options noopen; add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none; add_header X-Permitted-Cross-Domain-Policies none;
more_set_headers Content-Security-Policy "default-src 'self' 'unsafe-eval' data:;"; # Add data: to allow /ynhpanel.css to be load due to image on data:base64
more_set_headers Content-Security-Policy "default-src data:;";
# Set max upload size # Set max upload size
client_max_body_size 10G; client_max_body_size 10G;
@ -83,7 +84,6 @@ location ^~ #LOCATION# {
add_header X-Robots-Tag none; add_header X-Robots-Tag none;
add_header X-Download-Options noopen; add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none; add_header X-Permitted-Cross-Domain-Policies none;
more_set_headers Content-Security-Policy "default-src 'self' 'unsafe-eval' data:;";
# Optional: Don't log access to assets # Optional: Don't log access to assets
access_log off; access_log off;
} }