mirror of
https://github.com/GrapheneOS/matrix.grapheneos.org.git
synced 2024-09-30 16:25:36 +00:00
more initial CSP working around Element flaws
This commit is contained in:
parent
ee984f0c7f
commit
87d3dff258
@ -89,7 +89,7 @@ http {
|
|||||||
root /var/empty;
|
root /var/empty;
|
||||||
|
|
||||||
include snippets/security-headers.conf;
|
include snippets/security-headers.conf;
|
||||||
add_header Content-Security-Policy "frame-ancestors 'none'; block-all-mixed-content";
|
add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content";
|
||||||
# obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
|
# obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
|
||||||
add_header X-Frame-Options "DENY";
|
add_header X-Frame-Options "DENY";
|
||||||
|
|
||||||
@ -101,7 +101,7 @@ http {
|
|||||||
proxy_hide_header Content-Security-Policy;
|
proxy_hide_header Content-Security-Policy;
|
||||||
proxy_hide_header X-Frame-Options;
|
proxy_hide_header X-Frame-Options;
|
||||||
include snippets/security-headers.conf;
|
include snippets/security-headers.conf;
|
||||||
add_header Content-Security-Policy "frame-ancestors 'none'; block-all-mixed-content";
|
add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content";
|
||||||
# obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
|
# obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
|
||||||
add_header X-Frame-Options "DENY";
|
add_header X-Frame-Options "DENY";
|
||||||
add_header X-Robots-Tag "none";
|
add_header X-Robots-Tag "none";
|
||||||
@ -129,7 +129,7 @@ http {
|
|||||||
root /usr/share/webapps/element;
|
root /usr/share/webapps/element;
|
||||||
|
|
||||||
include snippets/security-headers.conf;
|
include snippets/security-headers.conf;
|
||||||
add_header Content-Security-Policy "frame-ancestors 'self'; block-all-mixed-content";
|
add_header Content-Security-Policy "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content";
|
||||||
# obsolete and replaced with Content-Security-Policy frame-ancestors 'self'
|
# obsolete and replaced with Content-Security-Policy frame-ancestors 'self'
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
add_header X-Robots-Tag "none";
|
add_header X-Robots-Tag "none";
|
||||||
|
Loading…
Reference in New Issue
Block a user