From 462dbfb5804121aa55eb47d55cd0cb3aa0745e40 Mon Sep 17 00:00:00 2001 From: Bauke Date: Fri, 7 Jul 2023 23:23:55 +0200 Subject: [PATCH] Map the content_security_policy header to the request_uri. --- .../nginx_site_config/templates/tildes.conf.jinja2 | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2 b/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2 index 92795cf..e7a348c 100644 --- a/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2 +++ b/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2 @@ -11,6 +11,15 @@ map $sent_http_content_type $expires_type_map { ~image/ max; } +map $request_uri $csp_header { + # The default CSP: + # - "img-src data:" is needed for Spectre.css icons + default "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"; + # The CSP for the Stripe donation page: + # - "https://js.stripe.com" in script-src and frame-src is needed for Stripe + "~^/donate_stripe$" "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"; +} + server { # block bots that don't obey robots.txt if ($http_user_agent ~* (SemrushBot)) { @@ -39,10 +48,7 @@ server { {% endif %} {% if nginx_enable_csp %} - # Content Security Policy: - # - "img-src data:" is needed for Spectre.css icons - # - "https://js.stripe.com" in script-src and frame-src is needed for Stripe - add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" always; + add_header Content-Security-Policy $csp_header always; {% endif %} add_header X-Content-Type-Options "nosniff" always;