YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Content Security Policies Report and Websockets

Browse source 
Add the `wss:` field so that Nginx does not create warning when using Websocket over TLS.

This modification only affects the `Report-Only` part of the CSP, that takes care of creating warnings in the logs.

Warning ex (fr only sorry):
```
Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à wss://your.website.tld (« default-src »). Un rapport CSP est en cours d’envoi.
```
This commit is contained in:
Keoma Brun 2022-05-15 18:33:44 +02:00 committed by GitHub
parent ea5bfd1693
commit b32bc3a034
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
conf/nginx/security.conf.inc
View file

@ -29,7 +29,7 @@ ssl_dhparam /usr/share/yunohost/ffdhe2048.pem;
more_set_headers "Content-Security-Policy : upgrade-insecure-requests; default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'";
{% else %}
more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'";
more_set_headers "Content-Security-Policy-Report-Only : default-src https: wss: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'";
{% endif %}
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "X-XSS-Protection : 1; mode=block";