# HG changeset patch # User IBBoard # Date 1576704170 0 # Node ID 4519b727cc4cad5f14b8b661eb59ca21295bc499 # Parent e602c5f974ac4b22a4268a2ff8af6f325149d959 Make Content-Security-Policy cleaner and easier to set diff -r e602c5f974ac -r 4519b727cc4c manifests/templates.pp --- a/manifests/templates.pp Sun Dec 15 16:28:47 2019 +0000 +++ b/manifests/templates.pp Wed Dec 18 21:22:50 2019 +0000 @@ -496,6 +496,16 @@ website::https::multitld { 'www.ibboard': custom_fragment => template("private/apache/ibboard.fragment"), letsencrypt_name => 'ibboard.co.uk', + csp_override => { + "report-uri" => "https://ibboard.report-uri.com/r/d/csp/enforce", + "default-src" => "'none'", + "img-src" => "'self' https://live.staticflickr.com/", + "script-src" => "'self'", + "style-src" => "'self'", + "font-src" => "'self'", + "form-action" => "'self'", + "connect-src" => "'self'", + } } include hiveworldterrasite include bdstrikesite @@ -555,6 +565,12 @@ docroot_group => 'editors', letsencrypt_name => 'bdstrike.co.uk', custom_fragment => template("private/apache/bdstrike.fragment"), + csp_override => {"frame-ancestors" => "'self'"}, + csp_report_override => { + "font-src" => "'self' https://fonts.gstatic.com/", + "img-src" => "'self' https://secure.gravatar.com/", + "style-src" => "'self' https://fonts.googleapis.com/" + }, } $aliases = [ 'strikecreations.co.uk', diff -r e602c5f974ac -r 4519b727cc4c modules/website/files/zzz-0-custom.conf --- a/modules/website/files/zzz-0-custom.conf Sun Dec 15 16:28:47 2019 +0000 +++ b/modules/website/files/zzz-0-custom.conf Wed Dec 18 21:22:50 2019 +0000 @@ -90,7 +90,5 @@ ServerTokens Minor Header always set Referrer-Policy "no-referrer-when-downgrade" +# FIXME: This shouldn't be a fixed URL! Header always set Expect-CT "max-age=0, report-uri='https://ibboard.report-uri.io/r/default/ct/reportOnly'" -Header always set Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'none'; base-uri 'none'" -Header always set Content-Security-Policy-Report-Only "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'" -#; report-uri https://ibboard.report-uri.com/r/d/csp/reportOnly" \ No newline at end of file diff -r e602c5f974ac -r 4519b727cc4c modules/website/manifests/https.pp --- a/modules/website/manifests/https.pp Sun Dec 15 16:28:47 2019 +0000 +++ b/modules/website/manifests/https.pp Wed Dec 18 21:22:50 2019 +0000 @@ -16,6 +16,8 @@ $force_no_www = true, $force_no_index = true, $lockdown_requests = true, + $csp_override = undef, + $csp_report_override = undef, ) { if ! defined(Class['website']) { @@ -35,6 +37,9 @@ $primary_name = $name } + $csp_string = hash_to_csp($website::csp_base, $csp_override) + $csp_report_string = hash_to_csp($website::csp_report_base, $csp_report_override) + $custom_conf0 = template('website/https_core_conf.erb') if $force_no_index { diff -r e602c5f974ac -r 4519b727cc4c modules/website/manifests/https/multitld.pp --- a/modules/website/manifests/https/multitld.pp Sun Dec 15 16:28:47 2019 +0000 +++ b/modules/website/manifests/https/multitld.pp Wed Dec 18 21:22:50 2019 +0000 @@ -12,6 +12,8 @@ $custom_fragment = undef, $force_no_index = undef, $force_no_www = undef, + $csp_override = undef, + $csp_report_override = undef, ) { if ! defined(Class['website']) { @@ -43,5 +45,7 @@ custom_fragment => $custom_fragment, force_no_index => $force_no_index, force_no_www => $force_no_www, + csp_override => $csp_override, + csp_report_override => $csp_report_override, } } diff -r e602c5f974ac -r 4519b727cc4c modules/website/manifests/init.pp --- a/modules/website/manifests/init.pp Sun Dec 15 16:28:47 2019 +0000 +++ b/modules/website/manifests/init.pp Wed Dec 18 21:22:50 2019 +0000 @@ -26,6 +26,15 @@ $filterfragment = "Include conf.custom/filter.conf" $cmsfragment = "Include conf.extra/cms_rewrites.conf" + $csp_base = {"frame-ancestors" => "'none'", "base-uri" => "'none'"} + $csp_report_base = { + "default-src" => "'none'", + "img-src" => "'self'", + "script-src" => "'self'", + "style-src" => "'self'", + "font-src" => "'self'" + } + class { 'apache': default_mods => false, default_vhost => false, diff -r e602c5f974ac -r 4519b727cc4c modules/website/templates/https_core_conf.erb --- a/modules/website/templates/https_core_conf.erb Sun Dec 15 16:28:47 2019 +0000 +++ b/modules/website/templates/https_core_conf.erb Wed Dec 18 21:22:50 2019 +0000 @@ -1,4 +1,6 @@ Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains" +Header always set Content-Security-Policy "upgrade-insecure-requests; <%= @csp_string %>" +Header always set Content-Security-Policy-Report-Only "<%= @csp_report_string %>" Header set X-Xss-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header set X-Frame-Options "SAMEORIGIN"