From cb128c25f2d7c4670f94eb5a85ce13044cbc5c1d Mon Sep 17 00:00:00 2001
From: Julien Palard <julien@palard.fr>
Date: Fri, 2 Feb 2024 09:04:34 +0100
Subject: [PATCH] CSPs

---
 pycon.fr.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pycon.fr.yml b/pycon.fr.yml
index d8f30b4..7d930e6 100644
--- a/pycon.fr.yml
+++ b/pycon.fr.yml
@@ -59,6 +59,12 @@
                   add_header Strict-Transport-Security "max-age=63072000";
                   add_header X-Content-Type-Options "nosniff";
               }
+              location ~ ^/2024/ {
+                  add_header Content-Security-Policy "default-src 'none'; object-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'none'; frame-src 'self' https://framacarte.org; font-src 'self'; img-src 'self' https://openstreetmap.fr; script-src 'self' 'unsafe-inline' https://framasoft.org https://framacarte.org; style-src 'self' 'unsafe-inline'";
+                  add_header Content-Security-Policy-Report-Only "default-src 'none'; object-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'none'; frame-src 'self' https://framacarte.org; font-src 'self'; img-src 'self' https://openstreetmap.fr; script-src 'self' https://framasoft.org https://framacarte.org; style-src 'self'";
+                  add_header Strict-Transport-Security "max-age=63072000";
+                  add_header X-Content-Type-Options "nosniff";
+              }
               # Prevent browsers from incorrectly detecting non-scripts as scripts
               add_header X-Content-Type-Options "nosniff";
               rewrite ^/2018/$ /2018/fr/index/ last;