From 0fba21f92495668e84591522fd49e7813e38bab9 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Wed, 29 Apr 2020 01:07:07 +0200
Subject: [PATCH] Enforce CSP rules for real on webadmin

---
 data/templates/nginx/plain/yunohost_admin.conf.inc | 3 +++
 data/templates/nginx/security.conf.inc             | 2 +-
 data/templates/nginx/yunohost_admin.conf           | 1 -
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/data/templates/nginx/plain/yunohost_admin.conf.inc b/data/templates/nginx/plain/yunohost_admin.conf.inc
index 2ab72293d..8b81ab932 100644
--- a/data/templates/nginx/plain/yunohost_admin.conf.inc
+++ b/data/templates/nginx/plain/yunohost_admin.conf.inc
@@ -6,6 +6,9 @@ location /yunohost/admin/ {
     default_type text/html;
     index index.html;
 
+    more_set_headers "Content-Security-Policy: upgrade-insecure-requests; default-src 'self'; connect-src 'self' https://raw.githubusercontent.com https://paste.yunohost.org wss://$host; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; object-src 'none';";
+    more_set_headers "Content-Security-Policy-Report-Only:";
+
     # Short cache on handlebars templates
     location ~* \.(?:ms)$ {
       expires 5m;
diff --git a/data/templates/nginx/security.conf.inc b/data/templates/nginx/security.conf.inc
index 0a8bd90b6..dea0f49db 100644
--- a/data/templates/nginx/security.conf.inc
+++ b/data/templates/nginx/security.conf.inc
@@ -22,7 +22,7 @@ ssl_prefer_server_ciphers off;
 # https://wiki.mozilla.org/Security/Guidelines/Web_Security
 # https://observatory.mozilla.org/
 more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
-more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: wss: 'unsafe-inline' 'unsafe-eval'  ";
+more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'  ";
 more_set_headers "X-Content-Type-Options : nosniff";
 more_set_headers "X-XSS-Protection : 1; mode=block";
 more_set_headers "X-Download-Options : noopen";
diff --git a/data/templates/nginx/yunohost_admin.conf b/data/templates/nginx/yunohost_admin.conf
index 3df838c4a..d13dbfe90 100644
--- a/data/templates/nginx/yunohost_admin.conf
+++ b/data/templates/nginx/yunohost_admin.conf
@@ -22,7 +22,6 @@ server {
 
     more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
     more_set_headers "Referrer-Policy : 'same-origin'";
-    more_set_headers "Content-Security-Policy : upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval'";
 
     location / {
         return 302 https://$http_host/yunohost/admin;