Skip to content

Commit

Permalink
CSP: set default-src to 'self' for lenient and 'none' for strict.
Browse files Browse the repository at this point in the history 
Remove more specific directives that would duplicate this.
  • Loading branch information
@thijskh
thijskh committed Nov 22, 2023
1 parent 7b0d94e commit 4947136
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions group_vars/all.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,12 @@ environment_shortname: ""
environment_ribbon_colour: ""

httpd_csp:
lenient: "default-src; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
lenient_with_static_img: "default-src; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' https://{{ static_vhost }} data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
lenient_with_static_img_with_oidcng: "default-src; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self' https://{{ oidcng_vhost }}; img-src 'self' https://{{ static_vhost }} data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
strict: "default-src; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
strict_with_static_img: "default-src; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' https://{{ static_vhost }} data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
lenient_with_static_img_for_idp: "default-src; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self' https://{{ oidcng_vhost }}; img-src 'self' https://{{ static_vhost }} data:; form-action 'self' https://*.{{ base_domain }}; frame-ancestors 'none'; base-uri 'none'"
lenient: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
lenient_with_static_img: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' https://{{ static_vhost }} data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
lenient_with_static_img_with_oidcng: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://{{ oidcng_vhost }}; img-src 'self' https://{{ static_vhost }} data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
strict: "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
strict_with_static_img: "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' https://{{ static_vhost }} data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
lenient_with_static_img_for_idp: "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self' https://{{ oidcng_vhost }}; img-src 'self' https://{{ static_vhost }} data:; form-action 'self' https://*.{{ base_domain }}; frame-ancestors 'none'; base-uri 'none'"

nothing: "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'none'"

Expand Down

0 comments on commit 4947136

Please sign in to comment.