changeset 236:4519b727cc4c puppet-3.6

Make Content-Security-Policy cleaner and easier to set
author IBBoard <dev@ibboard.co.uk>
date Wed, 18 Dec 2019 21:22:50 +0000
parents e602c5f974ac
children 1e65604c182a
files manifests/templates.pp modules/website/files/zzz-0-custom.conf modules/website/manifests/https.pp modules/website/manifests/https/multitld.pp modules/website/manifests/init.pp modules/website/templates/https_core_conf.erb
diffstat 6 files changed, 37 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/manifests/templates.pp	Sun Dec 15 16:28:47 2019 +0000
+++ b/manifests/templates.pp	Wed Dec 18 21:22:50 2019 +0000
@@ -496,6 +496,16 @@
 	website::https::multitld { 'www.ibboard':
 		custom_fragment => template("private/apache/ibboard.fragment"),
 		letsencrypt_name => 'ibboard.co.uk',
+		csp_override => {
+			"report-uri" => "https://ibboard.report-uri.com/r/d/csp/enforce",
+			"default-src" => "'none'",
+			"img-src" => "'self' https://live.staticflickr.com/",
+			"script-src" => "'self'",
+			"style-src" => "'self'",
+			"font-src" => "'self'",
+			"form-action" => "'self'",
+			"connect-src" => "'self'",
+		}
 	}
 	include hiveworldterrasite
 	include bdstrikesite
@@ -555,6 +565,12 @@
 		docroot_group => 'editors',
 		letsencrypt_name => 'bdstrike.co.uk',
 		custom_fragment => template("private/apache/bdstrike.fragment"),
+		csp_override => {"frame-ancestors" => "'self'"},
+		csp_report_override => {
+			"font-src" => "'self' https://fonts.gstatic.com/",
+			"img-src" => "'self' https://secure.gravatar.com/",
+			"style-src" => "'self' https://fonts.googleapis.com/"
+		},
 	}
 	$aliases = [
 		'strikecreations.co.uk',
--- a/modules/website/files/zzz-0-custom.conf	Sun Dec 15 16:28:47 2019 +0000
+++ b/modules/website/files/zzz-0-custom.conf	Wed Dec 18 21:22:50 2019 +0000
@@ -90,7 +90,5 @@
 ServerTokens Minor
 
 Header always set Referrer-Policy "no-referrer-when-downgrade"
+# FIXME: This shouldn't be a fixed URL!
 Header always set Expect-CT "max-age=0, report-uri='https://ibboard.report-uri.io/r/default/ct/reportOnly'"
-Header always set Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'none'; base-uri 'none'"
-Header always set Content-Security-Policy-Report-Only "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'"
-#; report-uri https://ibboard.report-uri.com/r/d/csp/reportOnly"
\ No newline at end of file
--- a/modules/website/manifests/https.pp	Sun Dec 15 16:28:47 2019 +0000
+++ b/modules/website/manifests/https.pp	Wed Dec 18 21:22:50 2019 +0000
@@ -16,6 +16,8 @@
     $force_no_www       = true,
     $force_no_index     = true,
     $lockdown_requests  = true,
+    $csp_override       = undef,
+    $csp_report_override = undef,
   ) {
 
   if ! defined(Class['website']) {
@@ -35,6 +37,9 @@
     $primary_name = $name
   }
 
+  $csp_string = hash_to_csp($website::csp_base, $csp_override)
+  $csp_report_string = hash_to_csp($website::csp_report_base, $csp_report_override)
+
   $custom_conf0 = template('website/https_core_conf.erb')
 
   if $force_no_index {
--- a/modules/website/manifests/https/multitld.pp	Sun Dec 15 16:28:47 2019 +0000
+++ b/modules/website/manifests/https/multitld.pp	Wed Dec 18 21:22:50 2019 +0000
@@ -12,6 +12,8 @@
   $custom_fragment = undef,
   $force_no_index  = undef,
   $force_no_www    = undef,
+  $csp_override       = undef,
+  $csp_report_override = undef,
   ) {
 
   if ! defined(Class['website']) {
@@ -43,5 +45,7 @@
     custom_fragment => $custom_fragment,
     force_no_index  => $force_no_index,
     force_no_www    => $force_no_www,
+    csp_override    => $csp_override,
+    csp_report_override => $csp_report_override,
   }
 }
--- a/modules/website/manifests/init.pp	Sun Dec 15 16:28:47 2019 +0000
+++ b/modules/website/manifests/init.pp	Wed Dec 18 21:22:50 2019 +0000
@@ -26,6 +26,15 @@
   $filterfragment = "Include conf.custom/filter.conf"
   $cmsfragment = "Include conf.extra/cms_rewrites.conf"
 
+  $csp_base = {"frame-ancestors" => "'none'", "base-uri" => "'none'"}
+  $csp_report_base = {
+    "default-src" => "'none'",
+    "img-src" => "'self'",
+    "script-src" => "'self'",
+    "style-src" => "'self'",
+    "font-src" => "'self'"
+  }
+
   class { 'apache':
     default_mods => false,
     default_vhost => false,
--- a/modules/website/templates/https_core_conf.erb	Sun Dec 15 16:28:47 2019 +0000
+++ b/modules/website/templates/https_core_conf.erb	Wed Dec 18 21:22:50 2019 +0000
@@ -1,4 +1,6 @@
 Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
+Header always set Content-Security-Policy "upgrade-insecure-requests; <%= @csp_string %>"
+Header always set Content-Security-Policy-Report-Only "<%= @csp_report_string %>"
 Header set X-Xss-Protection "1; mode=block"
 Header set X-Content-Type-Options "nosniff"
 Header set X-Frame-Options "SAMEORIGIN"