Enforce CSP rules for real on webadmin

data/templates/nginx/plain/yunohost_admin.conf.inc

@@ -6,6 +6,9 @@ location /yunohost/admin/ {
     default_type text/html;
     index index.html;
 
+    more_set_headers "Content-Security-Policy: upgrade-insecure-requests; default-src 'self'; connect-src 'self' https://raw.githubusercontent.com https://paste.yunohost.org wss://$host; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; object-src 'none';";
+    more_set_headers "Content-Security-Policy-Report-Only:";
+
     # Short cache on handlebars templates
     location ~* \.(?:ms)$ {
       expires 5m;

data/templates/nginx/security.conf.inc

@@ -22,7 +22,7 @@ ssl_prefer_server_ciphers off;
 # https://wiki.mozilla.org/Security/Guidelines/Web_Security
 # https://observatory.mozilla.org/
 more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
-more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: wss: 'unsafe-inline' 'unsafe-eval'  ";
+more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'  ";
 more_set_headers "X-Content-Type-Options : nosniff";
 more_set_headers "X-XSS-Protection : 1; mode=block";
 more_set_headers "X-Download-Options : noopen";

data/templates/nginx/yunohost_admin.conf

@@ -22,7 +22,6 @@ server {
 
     more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
     more_set_headers "Referrer-Policy : 'same-origin'";
-    more_set_headers "Content-Security-Policy : upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval'";
 
     location / {
         return 302 https://$http_host/yunohost/admin;