From 87d3dff258ed1a77f0cb79461cee00e5841c3437 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Fri, 18 Jun 2021 17:34:02 -0400 Subject: [PATCH] more initial CSP working around Element flaws --- nginx/nginx.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index f3534be..b30e91d 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -89,7 +89,7 @@ http { root /var/empty; include snippets/security-headers.conf; - add_header Content-Security-Policy "frame-ancestors 'none'; block-all-mixed-content"; + add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content"; # obsolete and replaced with Content-Security-Policy frame-ancestors 'none' add_header X-Frame-Options "DENY"; @@ -101,7 +101,7 @@ http { proxy_hide_header Content-Security-Policy; proxy_hide_header X-Frame-Options; include snippets/security-headers.conf; - add_header Content-Security-Policy "frame-ancestors 'none'; block-all-mixed-content"; + add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content"; # obsolete and replaced with Content-Security-Policy frame-ancestors 'none' add_header X-Frame-Options "DENY"; add_header X-Robots-Tag "none"; @@ -129,7 +129,7 @@ http { root /usr/share/webapps/element; include snippets/security-headers.conf; - add_header Content-Security-Policy "frame-ancestors 'self'; block-all-mixed-content"; + add_header Content-Security-Policy "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content"; # obsolete and replaced with Content-Security-Policy frame-ancestors 'self' add_header X-Frame-Options "SAMEORIGIN"; add_header X-Robots-Tag "none";