diff --git a/files/routes/allroutes.py b/files/routes/allroutes.py index 0369f8a86..8d768c687 100644 --- a/files/routes/allroutes.py +++ b/files/routes/allroutes.py @@ -58,56 +58,12 @@ def before_request(): g.nonce = secrets.token_urlsafe(31) - - -CSP = { - "upgrade-insecure-requests": "", - - "default-src": "'none'", - "frame-ancestors": "'none'", - - "form-action": "'self'", - "manifest-src": "'self'", - "worker-src": "'self'", - "base-uri": "'self'", - "font-src": "'self'", - - "style-src-elem": "'self'", - "style-src-attr": "'unsafe-inline'", - "style-src": "'self' 'unsafe-inline'", - - "script-src-elem": "'self' challenges.cloudflare.com", - "script-src-attr": "'none'", - "script-src": "'self' challenges.cloudflare.com", - - "media-src": "https:", - "img-src": "https: data:", - - "frame-src": "challenges.cloudflare.com www.youtube-nocookie.com platform.twitter.com", - "connect-src": "'self' tls-use1.fpapi.io api.fpjs.io", - - "report-to": "csp", - "report-uri": "/csp_violations", -} - -if IS_LOCALHOST: - CSP["media-src"] += " http:" - CSP["img-src"] += " http:" - -CSP_str = '' - -for k, val in CSP.items(): - CSP_str += f'{k} {val}; ' - @app.after_request def after_request(response:Response): if response.status_code < 400: _set_cloudflare_cookie(response) _commit_and_close_db() - response.headers.add("Report-To", {"group":"csp","max_age":10886400,"endpoints":[{"url":"/csp_violations"}]}) - response.headers.add("Content-Security-Policy", CSP_str) - return response diff --git a/nginx-headers.conf b/nginx-headers.conf index bdab541b7..b21d439f6 100644 --- a/nginx-headers.conf +++ b/nginx-headers.conf @@ -2,3 +2,5 @@ add_header Referrer-Policy "same-origin"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; add_header X-Frame-Options "deny"; add_header X-Content-Type-Options "nosniff"; +add_header Report-To "{'group': 'csp', 'max_age': 10886400, 'endpoints': [{'url': '/csp_violations'}]}"; +add_header Content-Security-Policy "upgrade-insecure-requests ; default-src 'none'; frame-ancestors 'none'; form-action 'self'; manifest-src 'self'; worker-src 'self'; base-uri 'self'; font-src 'self'; style-src-elem 'self'; style-src-attr 'unsafe-inline'; style-src 'self' 'unsafe-inline'; script-src-elem 'self' challenges.cloudflare.com; script-src-attr 'none'; script-src 'self' challenges.cloudflare.com; media-src 'self' https:; img-src 'self' https: data:; frame-src challenges.cloudflare.com www.youtube-nocookie.com platform.twitter.com; connect-src 'self' tls-use1.fpapi.io api.fpjs.io; report-to csp; report-uri /csp_violations;"; diff --git a/nginx-serve-static.conf b/nginx-serve-static.conf index 1ad6afc5a..5d690b13c 100644 --- a/nginx-serve-static.conf +++ b/nginx-serve-static.conf @@ -1,5 +1,4 @@ include includes/headers; -add_header Content-Security-Policy "default-src 'none'; report-uri /csp_violations;"; sendfile on; sendfile_max_chunk 1m; tcp_nopush on; diff --git a/nginx.conf b/nginx.conf index d01962f9e..ee080e0ff 100644 --- a/nginx.conf +++ b/nginx.conf @@ -5,7 +5,6 @@ server { listen [::]:80; proxy_set_header Host $http_host; include includes/headers; - add_header Content-Security-Policy "default-src 'none'; report-uri /csp_violations;"; location / { proxy_pass http://localhost:5000/; @@ -19,12 +18,23 @@ server { proxy_set_header Connection "Upgrade"; proxy_pass http://localhost:5001/socket.io; include includes/headers; - add_header Content-Security-Policy "default-src 'none'; report-uri /csp_violations;"; } location /chat { proxy_pass http://localhost:5001/chat; include includes/headers; } + location =/offline.html { + alias /rDrama/files/assets/offline.html; + include includes/headers; + } + error_page 502 = /502.html; + location =/502.html { + alias /rDrama/files/templates/errors/rDrama/502.html; + include includes/headers; + add_header Cache-Control "no-store"; + } + + location /images/ { alias /images/; @@ -76,16 +86,4 @@ server { alias /rDrama/files/assets/images/rDrama/icon.webp; include includes/serve-static; } - location =/offline.html { - alias /rDrama/files/assets/offline.html; - add_header Content-Security-Policy "default-src 'none'; style-src 'unsafe-inline'; img-src data:; report-uri /csp_violations;"; - } - - - error_page 502 = /502.html; - location =/502.html { - alias /rDrama/files/templates/errors/rDrama/502.html; - add_header Cache-Control "no-store"; - add_header Content-Security-Policy "default-src 'none'; style-src 'self'; font-src 'self'; img-src 'self'; report-uri /csp_violations;"; - } }