From: Andreas Gerstenberg Date: Thu, 12 Oct 2017 15:55:27 +0000 (+0200) Subject: spk-spar-checker add Content-Security-Policy + filesmatch X-Git-Tag: v0.1.0~2334 X-Git-Url: https://git.uhu-banane.de/?a=commitdiff_plain;h=8b218901e6542c2d50ea372932f56e92292049bc;p=pixelpark%2Fhiera.git spk-spar-checker add Content-Security-Policy + filesmatch --- diff --git a/customer/spk-spar-checker/production.yaml b/customer/spk-spar-checker/production.yaml index 3c7736bd..93ccc0a9 100644 --- a/customer/spk-spar-checker/production.yaml +++ b/customer/spk-spar-checker/production.yaml @@ -41,7 +41,8 @@ infra::profile::apache::pp_vhosts: - 'always set X-Frame-Options "SAMEORIGIN"' - 'always set X-Content-Type-Options "nosniff"' - 'always set Strict-Transport-Security: "max-age=15768001"' -# - "set Content-Security-Policy \"default-src 'self' 'unsafe-eval' 'unsafe-inline' ; style-src 'self' https://webfonts.sparkasse.de 'unsafe-inline' ; font-src 'self' data: https://webfonts.sparkasse.de ; img-src 'self' data: ;\"" + - "set Content-Security-Policy \"default-src 'none'; connect-src 'self'; script-src 'self' data: www.google-analytics.com 'sha256-aed8ae7e95bc21fd56a9074f9eedd4db237cf41ebb8ea603d8bf6764f0d23f4c'; style-src 'self' data: https://webfonts.sparkasse.de 'unsafe-inline'; img-src 'self' data: img.vxcdn.com www.google-analytics.com www.verivox.de; font-src 'self' data: https://webfonts.sparkasse.de; child-src 'self'; object-src 'self'; form-action 'self'; report-uri /api/v1/report;\"" + aliases: - { alias: /api , path: /var/www/spar-checker/sparchecker-backend/public/api } - { alias: /sfp , path: /var/www/spar-checker/sparchecker-backend/public/sfp } @@ -102,6 +103,10 @@ infra::profile::apache::pp_vhosts: allow_override: - None directoryindex: 'index.php index.html' + - provider: filesmatch + path: '\.(ttf|otf|eot|woff)$' + headers: + - 'always set Access-Control-Allow-Origin "*"' rewrites: - comment: 'sfp files' rewrite_cond: