# HG changeset patch # User IBBoard # Date 1577637835 0 # Node ID f99974dc0f1a63b50611c5da6b8c1a87494c30ec # Parent 241fbf45e6f302eb1ea3cedd41c5c5afd48c37d2 Add a way to skip setting CSP NextCloud manages CSP itself, so we don't need the header in the PIM subdomain causing confusion and incorrect results diff -r 241fbf45e6f3 -r f99974dc0f1a modules/website/manifests/https.pp --- a/modules/website/manifests/https.pp Sun Dec 29 11:00:05 2019 -0500 +++ b/modules/website/manifests/https.pp Sun Dec 29 16:43:55 2019 +0000 @@ -16,7 +16,9 @@ $force_no_www = true, $force_no_index = true, $lockdown_requests = true, + $csp = true, $csp_override = undef, + $csp_report = true, $csp_report_override = undef, ) { @@ -37,8 +39,12 @@ $primary_name = $name } - $csp_string = hash_to_csp($website::csp_base, $csp_override) - $csp_report_string = hash_to_csp($website::csp_report_base, $csp_report_override) + if $csp { + $csp_string = hash_to_csp($website::csp_base, $csp_override) + } + if $csp_report { + $csp_report_string = hash_to_csp($website::csp_report_base, $csp_report_override) + } $custom_conf0 = template('website/https_core_conf.erb') diff -r 241fbf45e6f3 -r f99974dc0f1a modules/website/manifests/https/multitld.pp --- a/modules/website/manifests/https/multitld.pp Sun Dec 29 11:00:05 2019 -0500 +++ b/modules/website/manifests/https/multitld.pp Sun Dec 29 16:43:55 2019 +0000 @@ -12,7 +12,9 @@ $custom_fragment = undef, $force_no_index = undef, $force_no_www = undef, - $csp_override = undef, + $csp = true, + $csp_override = undef, + $csp_report = true, $csp_report_override = undef, ) { @@ -45,7 +47,9 @@ custom_fragment => $custom_fragment, force_no_index => $force_no_index, force_no_www => $force_no_www, + csp => $csp, csp_override => $csp_override, + csp_report => $csp_report, csp_report_override => $csp_report_override, } } diff -r 241fbf45e6f3 -r f99974dc0f1a modules/website/templates/https_core_conf.erb --- a/modules/website/templates/https_core_conf.erb Sun Dec 29 11:00:05 2019 -0500 +++ b/modules/website/templates/https_core_conf.erb Sun Dec 29 16:43:55 2019 +0000 @@ -1,6 +1,10 @@ Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains" +<%- if @csp -%> Header always set Content-Security-Policy "upgrade-insecure-requests; <%= @csp_string %>" +<%- end -%> +<%- if @csp_report -%> Header always set Content-Security-Policy-Report-Only "<%= @csp_report_string %>" +<%- end -%> Header always set X-Xss-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "SAMEORIGIN"