jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Do not set frame-action and default-src CSP for openid routes

Browse Source 
If set chrome wants a rule with * and safari on iOS wants an explicit
schema, so not setting any works with both.
This commit is contained in:
Johannes Zellner
2023-09-26 23:37:52 +02:00
parent 31ef53c530
commit 0fd4a831c8
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/nginxconfig.ejs
View File

@@ -257,7 +257,7 @@ server {
location ~ ^/openid/ {
proxy_pass http://127.0.0.1:3005;
add_header Content-Security-Policy "default-src 'none'; frame-src 'self' cloudron.io *.cloudron.io; connect-src wss: https: 'self' *.cloudron.io; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src https: 'unsafe-inline'; object-src 'none'; font-src https: 'self'; frame-ancestors 'none'; base-uri 'none'; form-action *;";
add_header Content-Security-Policy "frame-src 'self' cloudron.io *.cloudron.io; connect-src wss: https: 'self' *.cloudron.io; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src https: 'unsafe-inline'; object-src 'none'; font-src https: 'self'; frame-ancestors 'none'; base-uri 'none';";
client_max_body_size 2m;
}