From 462dbfb5804121aa55eb47d55cd0cb3aa0745e40 Mon Sep 17 00:00:00 2001
From: Bauke <me@bauke.xyz>
Date: Fri, 7 Jul 2023 23:23:55 +0200
Subject: [PATCH] Map the content_security_policy header to the request_uri.

---
 .../nginx_site_config/templates/tildes.conf.jinja2 | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2 b/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2
index 92795cf..e7a348c 100644
--- a/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2
+++ b/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2
@@ -11,6 +11,15 @@ map $sent_http_content_type $expires_type_map {
     ~image/ max;
 }
 
+map $request_uri $csp_header {
+    # The default CSP:
+    # - "img-src data:" is needed for Spectre.css icons
+    default "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
+    # The CSP for the Stripe donation page:
+    # - "https://js.stripe.com" in script-src and frame-src is needed for Stripe
+    "~^/donate_stripe$" "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
+}
+
 server {
     # block bots that don't obey robots.txt
     if ($http_user_agent ~* (SemrushBot)) {
@@ -39,10 +48,7 @@ server {
     {% endif %}
 
     {% if nginx_enable_csp %}
-      # Content Security Policy:
-      #   - "img-src data:" is needed for Spectre.css icons
-      #   - "https://js.stripe.com" in script-src and frame-src is needed for Stripe
-      add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" always;
+      add_header Content-Security-Policy $csp_header always;
     {% endif %}
 
     add_header X-Content-Type-Options "nosniff" always;