From 90e093a482dc2bd6e0f7f0e6b08275a0c963dfad Mon Sep 17 00:00:00 2001
From: frju365 <win10@tutanota.com>
Date: Tue, 1 May 2018 23:44:23 +0200
Subject: [PATCH] Tweak the CSP config in nginx template for domains (#456)

* Little correction for template conf for apps
* Move the default-src CSP thing to report-only for now
---
 data/templates/nginx/server.tpl.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf
index ac2ff8486..495a15bdc 100644
--- a/data/templates/nginx/server.tpl.conf
+++ b/data/templates/nginx/server.tpl.conf
@@ -46,7 +46,8 @@ server {
     # https://wiki.mozilla.org/Security/Guidelines/Web_Security
     # https://observatory.mozilla.org/ 
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 
-    add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval'";
+    add_header Content-Security-Policy "upgrade-insecure-requests;"
+    add_header Content-Security-Policy-Report-Only "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
     add_header X-Content-Type-Options nosniff;
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Download-Options noopen;