From e8dd243218556a4dea5c7aa3b3cba446ccf6e278 Mon Sep 17 00:00:00 2001
From: Yann Autissier <yann.autissier@gmail.com>
Date: Fri, 19 May 2023 20:39:29 +0000
Subject: [PATCH] update Content-Security-Policy header for chromium

Chromium fails to load a jitsi video conference, refusing to create a
worker because it violates the Content Security Policy directive:
"script-src https: data: 'unsafe-inline' 'unsafe-eval'".
---
 conf/nginx/security.conf.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/nginx/security.conf.inc b/conf/nginx/security.conf.inc
index fe853155b..44d7f86b4 100644
--- a/conf/nginx/security.conf.inc
+++ b/conf/nginx/security.conf.inc
@@ -26,7 +26,7 @@ ssl_dhparam /usr/share/yunohost/ffdhe2048.pem;
 # https://wiki.mozilla.org/Security/Guidelines/Web_Security
 # https://observatory.mozilla.org/
 {% if experimental == "True" %}
-more_set_headers "Content-Security-Policy : upgrade-insecure-requests; default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'";
+more_set_headers "Content-Security-Policy : upgrade-insecure-requests; default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob:;";
 {% else %}
 more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
 {% endif %}