FIX one CSP in AFPy.org/admin/, there's still inline styles.

2023-04-11 18:45:39 +02:00 · 2023-04-11 18:45:39 +02:00 · 976a8a2608
parent 60b09a457f
commit 976a8a2608
1 changed files with 3 additions and 1 deletions
--- a/afpy.org.yml
+++ b/afpy.org.yml
@ -66,7 +66,9 @@
              index index.html;
              add_header Reporting-Endpoints xmpp="https://http-to-xmpp.afpy.org";
              add_header Report-To '{"group": "xmpp", "max_age": 86400, "endpoints": [{"url": "https://http-to-xmpp.afpy.org"}]}';
-              add_header Content-Security-Policy "default-src 'none'; img-src 'self'; style-src 'self'; script-src 'self'; frame-ancestors 'self'; frame-src https://www.helloasso.com https://web.libera.chat; report-uri https://http-to-xmpp.afpy.org; report-to xmpp";
+              # font-src 'self' for afpy.org/admin/ which loads fonts like:
+              # https://www.afpy.org/admin/static/bootstrap/bootstrap4/fonts/fontawesome-webfont.eot?#iefix&v=4.7.0
+              add_header Content-Security-Policy "default-src 'none'; font-src 'self'; img-src 'self'; style-src 'self'; script-src 'self'; frame-ancestors 'self'; frame-src https://www.helloasso.com https://web.libera.chat; report-uri https://http-to-xmpp.afpy.org; report-to xmpp";
              add_header X-Content-Type-Options "nosniff";

              location /discord