From b32bc3a03431ea81fdeec51c0b8dd43f88ece049 Mon Sep 17 00:00:00 2001 From: Keoma Brun Date: Sun, 15 May 2022 18:33:44 +0200 Subject: [PATCH] Content Security Policies Report and Websockets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add the `wss:` field so that Nginx does not create warning when using Websocket over TLS. This modification only affects the `Report-Only` part of the CSP, that takes care of creating warnings in the logs. Warning ex (fr only sorry): ``` Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à wss://your.website.tld (« default-src »). Un rapport CSP est en cours d’envoi. ``` --- conf/nginx/security.conf.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx/security.conf.inc b/conf/nginx/security.conf.inc index 8eb8c8ae2..a35bb566e 100644 --- a/conf/nginx/security.conf.inc +++ b/conf/nginx/security.conf.inc @@ -29,7 +29,7 @@ ssl_dhparam /usr/share/yunohost/ffdhe2048.pem; more_set_headers "Content-Security-Policy : upgrade-insecure-requests; default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'"; {% else %} more_set_headers "Content-Security-Policy : upgrade-insecure-requests"; -more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'"; +more_set_headers "Content-Security-Policy-Report-Only : default-src https: wss: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'"; {% endif %} more_set_headers "X-Content-Type-Options : nosniff"; more_set_headers "X-XSS-Protection : 1; mode=block";