From 5927449083f944e40bf5a1a7262e783b5af48f85 Mon Sep 17 00:00:00 2001 From: Timmy Willison Date: Fri, 6 Dec 2024 11:44:38 -0500 Subject: [PATCH] All: switch to non-report CSP headers Closes gh-54 --- modules/profile/templates/contentorigin/site.nginx.erb | 2 +- modules/profile/templates/gruntjscom/site.nginx.erb | 2 +- modules/profile/templates/miscweb/site.nginx.erb | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/profile/templates/contentorigin/site.nginx.erb b/modules/profile/templates/contentorigin/site.nginx.erb index 1cc80b7..c504c36 100644 --- a/modules/profile/templates/contentorigin/site.nginx.erb +++ b/modules/profile/templates/contentorigin/site.nginx.erb @@ -15,7 +15,7 @@ server { # Add Content Security Policy headers add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'"; - add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint"; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint"; location / { root /srv/www/content.jquery.com; diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb index fd28a72..2f3d559 100644 --- a/modules/profile/templates/gruntjscom/site.nginx.erb +++ b/modules/profile/templates/gruntjscom/site.nginx.erb @@ -21,7 +21,7 @@ server { add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'"; # script-src: add 'unsafe-eval' for the search functionality on gruntjs.com/plugins # Search will need to be reimplemented to remove this exception. - add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint" always; } location /.well-known/acme-challenge { diff --git a/modules/profile/templates/miscweb/site.nginx.erb b/modules/profile/templates/miscweb/site.nginx.erb index 12afbef..b3f0630 100644 --- a/modules/profile/templates/miscweb/site.nginx.erb +++ b/modules/profile/templates/miscweb/site.nginx.erb @@ -21,13 +21,13 @@ server { # Add Content Security Policy headers add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'"; <%- if @site['csp_header'] -%> - add_header Content-Security-Policy-Report-Only "<%= @site['csp_header'] %>"; + add_header Content-Security-Policy "<%= @site['csp_header'] %>"; <%- else -%> # script-src: add 'wasm-unsafe-eval' for WebAssembly-driven search on # bugs.jquery.com, bugs.jqueryui.com, and plugins.jquery.com # img-src: allow secure.gravatar.com images on plugins.jquery.com # media-src: allow content.jquery.com media on podcast.jquery.com - add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' code.jquery.com; connect-src 'self'; img-src 'self' secure.gravatar.com; style-src 'self'; media-src 'self' content.jquery.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint"; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' code.jquery.com; connect-src 'self'; img-src 'self' secure.gravatar.com; style-src 'self'; media-src 'self' content.jquery.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint"; <%- end -%> <%- if @site['allow_php'] -%>