(attic-docker) branch main updated: Update to latest CSP

Fri, 25 Apr 2025 07:14:59 -0700 

This is an automated email from the ASF dual-hosted git repository.

sebb pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/attic-docker.git


The following commit(s) were added to refs/heads/main by this push:
     new 22844ab  Update to latest CSP
22844ab is described below

commit 22844ab98012f63c7954d8e34037dbede6f368a6
Author: Sebb <s...@apache.org>
AuthorDate: Fri Apr 25 15:14:21 2025 +0100

    Update to latest CSP
---
 config/000-default.conf | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/config/000-default.conf b/config/000-default.conf
index 9371456..b46a13a 100644
--- a/config/000-default.conf
+++ b/config/000-default.conf
@@ -5,13 +5,24 @@
        DocumentRoot /var/www/site.apache.org
 
        # Always set CSP; ensure this agrees with TLP version
-       Header set Content-Security-Policy "default-src 'self' data: blob: 
'unsafe-inline' https://www.apachecon.com/ https://www.communityovercode.org/ 
https://*.apache.org/; script-src 'self' 'unsafe-inline' 'unsafe-eval' 
https://www.apachecon.com/ https://*.apache.org/ https://apache.org/; style-src 
'self' 'unsafe-inline' data: https://*.apache.org/ https://apache.org/; 
frame-ancestors 'self'; frame-src 'self' data: blob:; img-src 'self' data: 
https://*.apache.org/ https://apache.org/ https: [...]
+
+       # Base foundation allowances: self, data/blob, inline, and our own 
known domains
+       SetEnv CSP_INFRA_BASE "'self' data: blob: 'unsafe-inline' 'unsafe-eval' 
https://www.apachecon.com/ https://www.communityovercode.org/ 
https://*.apache.org/ https://apache.org/";
+       
+       # Third party approved domains, separate with space
+       SetEnv CSP_THIRD_PARTY "https://*.scarf.sh/ "
+       
+       # CSP_PROJECT_DOMAINS can be set in .htaccess to expand CSP. MUST have 
commentary in the .htaccess file explaining why these domains are added and 
with whose permission.
+       SetEnv CSP_PROJECT_DOMAINS ""
+       Header set Content-Security-Policy "default-src %{CSP_INFRA_BASE}e 
%{CSP_THIRD_PARTY}e %{CSP_PROJECT_DOMAINS}e; script-src %{CSP_INFRA_BASE}e 
%{CSP_THIRD_PARTY}e %{CSP_PROJECT_DOMAINS}e; style-src %{CSP_INFRA_BASE}e 
%{CSP_THIRD_PARTY}e %{CSP_PROJECT_DOMAINS}e; frame-ancestors 'self'; frame-src 
%{CSP_INFRA_BASE}e %{CSP_THIRD_PARTY}e %{CSP_PROJECT_DOMAINS}e; worker-src 
'self' data: blob:;"
+
 
        # Allow .htaccess Header set CSP
        <Directory /var/www/site.apache.org/>
                AllowOverride FileInfo
                # We don't want to generate an index with index.cgi, as that 
invokes closer.lua
                DirectoryIndex disabled
+               DirectoryIndex index.html
        </Directory>
 
        LuaScope thread

Reply via email to