From 1cc3e44038746455dc5008ad2cae7f81abe9bc0e Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Sat, 6 Nov 2021 16:45:25 +0100
Subject: [PATCH] nginx: Refine experimental CSP header (in the end still gotta
 enable unsafe-inline and unsafe-eval for a bunch of things, but better than
 no policy at all...)

---
 data/templates/nginx/security.conf.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/templates/nginx/security.conf.inc b/data/templates/nginx/security.conf.inc
index bcb821770..8d261daeb 100644
--- a/data/templates/nginx/security.conf.inc
+++ b/data/templates/nginx/security.conf.inc
@@ -26,11 +26,11 @@ ssl_dhparam /usr/share/yunohost/other/ffdhe2048.pem;
 # https://wiki.mozilla.org/Security/Guidelines/Web_Security
 # https://observatory.mozilla.org/
 {% if experimental == "True" %}
-more_set_headers "Content-Security-Policy : upgrade-insecure-requests; default-src https: data:";
+more_set_headers "Content-Security-Policy : upgrade-insecure-requests; default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'";
 {% else %}
 more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
+more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'";
 {% endif %}
-more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'  ";
 more_set_headers "X-Content-Type-Options : nosniff";
 more_set_headers "X-XSS-Protection : 1; mode=block";
 more_set_headers "X-Download-Options : noopen";