Merge pull request #1664 from aya/update-content-security-policy

Update "worker" Content-Security-Policy header when in experimental security mode
2024-09-03 20:06:10 +02:00 · 2023-05-20 18:47:44 +02:00 · 2023-05-20 18:47:44 +02:00 · b5068ad007
commit b5068ad007
parent 751930043f e8dd243218
1 changed files with 1 additions and 1 deletions
--- a/conf/nginx/security.conf.inc
+++ b/conf/nginx/security.conf.inc
@ -26,7 +26,7 @@ ssl_dhparam /usr/share/yunohost/ffdhe2048.pem;
 # https://wiki.mozilla.org/Security/Guidelines/Web_Security
 # https://observatory.mozilla.org/
 {% if experimental == "True" %}
-more_set_headers "Content-Security-Policy : upgrade-insecure-requests; default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'";
+more_set_headers "Content-Security-Policy : upgrade-insecure-requests; default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob:;";
 {% else %}
 more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
 {% endif %}