YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #961 from YunoHost/add-wss-to-default-src

Browse source 
[enh] Real CSP headers for the webadmin
This commit is contained in:
Bram 2020-05-07 21:35:24 +02:00 committed by GitHub
commit dbac27cc38
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
data/templates/nginx/plain/yunohost_admin.conf.inc
View file

@ -6,6 +6,9 @@ location /yunohost/admin/ {
default_type text/html; default_type text/html;
index index.html; index index.html;
more_set_headers "Content-Security-Policy: upgrade-insecure-requests; default-src 'self'; connect-src 'self' https://raw.githubusercontent.com https://paste.yunohost.org wss://$host; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; object-src 'none';";
more_set_headers "Content-Security-Policy-Report-Only:";
# Short cache on handlebars templates # Short cache on handlebars templates
location ~* \.(?:ms)$ { location ~* \.(?:ms)$ {
expires 5m; expires 5m;

1
data/templates/nginx/yunohost_admin.conf
View file

@ -22,7 +22,6 @@ server {
more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
more_set_headers "Referrer-Policy : 'same-origin'"; more_set_headers "Referrer-Policy : 'same-origin'";
more_set_headers "Content-Security-Policy : upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval'";
location / { location / {
return 302 https://$http_host/yunohost/admin; return 302 https://$http_host/yunohost/admin;