nginx: add Content-Security-Policy-Report-Only header to all content sites

timmywil · timmywil · commit e00a878a5952 · 2024-08-12T10:48:55.000-04:00
Fixes gh-54
diff --git a/modules/profile/templates/contentorigin/site.nginx.erb b/modules/profile/templates/contentorigin/site.nginx.erb
@@ -19,6 +19,9 @@ server {
     expires 30d;
 
     add_header Access-Control-Allow-Origin "*";
+
+    # Add Content Security Policy headers
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
   }
 
   location /.well-known/acme-challenge {
diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb
@@ -16,6 +16,9 @@ server {
     proxy_pass http://localhost:<%= @backend_port %>;
     proxy_redirect off;
     proxy_buffering off;
+
+    # Add Content Security Policy headers
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
   }
 
   location /.well-known/acme-challenge {
diff --git a/modules/profile/templates/miscweb/site.nginx.erb b/modules/profile/templates/miscweb/site.nginx.erb
@@ -51,6 +51,12 @@ server {
     include              /etc/nginx/fastcgi_params;
   }
 <%- end -%>
+
+  location / {
+
+    # Add Content Security Policy headers
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
+  }
 }
 
 # vim: ts=2 sw=2 et
diff --git a/modules/profile/templates/wordpress/base/default-tls.nginx.erb b/modules/profile/templates/wordpress/base/default-tls.nginx.erb
@@ -20,5 +20,8 @@ server {
 
   location / {
     deny all;
+
+    # Add Content Security Policy headers
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,9 @@ server {`
`19`	`19`	`expires 30d;`
`20`	`20`
`21`	`21`	`add_header Access-Control-Allow-Origin "*";`
	`22`	`+`
	`23`	`+ # Add Content Security Policy headers`
	`24`	`+ add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";`
`22`	`25`	`}`
`23`	`26`
`24`	`27`	`location /.well-known/acme-challenge {`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,9 @@ server {`
`16`	`16`	`proxy_pass http://localhost:<%= @backend_port %>;`
`17`	`17`	`proxy_redirect off;`
`18`	`18`	`proxy_buffering off;`
	`19`	`+`
	`20`	`+ # Add Content Security Policy headers`
	`21`	`+ add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";`
`19`	`22`	`}`
`20`	`23`
`21`	`24`	`location /.well-known/acme-challenge {`
Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,12 @@ server {`
`51`	`51`	`include /etc/nginx/fastcgi_params;`
`52`	`52`	`}`
`53`	`53`	`<%- end -%>`
	`54`	`+`
	`55`	`+ location / {`
	`56`	`+`
	`57`	`+ # Add Content Security Policy headers`
	`58`	`+ add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";`
	`59`	`+ }`
`54`	`60`	`}`
`55`	`61`
`56`	`62`	`# vim: ts=2 sw=2 et`
Original file line number	Diff line number	Diff line change
`@@ -20,5 +20,8 @@ server {`
`20`	`20`
`21`	`21`	`location / {`
`22`	`22`	`deny all;`
	`23`	`+`
	`24`	`+ # Add Content Security Policy headers`
	`25`	`+ add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";`
`23`	`26`	`}`
`24`	`27`	`}`