move CSP to nginx-level

files/helpers/const.py

@@ -42,11 +42,6 @@ FP = environ.get("FP", "").strip()
 KOFI_TOKEN = environ.get("KOFI_TOKEN", "").strip()
 KOFI_LINK = environ.get("KOFI_LINK", "").strip()
 
-PUSHER_ID_CSP = ""
-if PUSHER_ID != DEFAULT_CONFIG_VALUE:
-	PUSHER_ID_CSP = f" {PUSHER_ID}.pushnotifications.pusher.com"
-CONTENT_SECURITY_POLICY_DEFAULT = "script-src 'self' 'unsafe-inline' challenges.cloudflare.com; connect-src 'self'; object-src 'none';"
-CONTENT_SECURITY_POLICY_HOME = f"script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self' tls-use1.fpapi.io api.fpjs.io{PUSHER_ID_CSP}; object-src 'none';"
 
 CLOUDFLARE_COOKIE_VALUE = "yes." # remember to change this in CloudFlare too
 

files/routes/jinja2.py

@@ -59,8 +59,6 @@ def inject_constants():
 			"site_settings":get_settings(), "EMAIL":EMAIL, "calc_users":calc_users, 
 			"max": max, "min": min, "user_can_see":User.can_see,
 			"TELEGRAM_LINK":TELEGRAM_LINK, "EMAIL_REGEX_PATTERN":EMAIL_REGEX_PATTERN,
-			"CONTENT_SECURITY_POLICY_DEFAULT":CONTENT_SECURITY_POLICY_DEFAULT,
-			"CONTENT_SECURITY_POLICY_HOME":CONTENT_SECURITY_POLICY_HOME,
 			"TRUESCORE_DONATE_MINIMUM":TRUESCORE_DONATE_MINIMUM,
 			"DONATE_LINK":DONATE_LINK, "DONATE_SERVICE":DONATE_SERVICE, "BAN_EVASION_DOMAIN":BAN_EVASION_DOMAIN, 
 			"HOUSE_JOIN_COST":HOUSE_JOIN_COST, "HOUSE_SWITCH_COST":HOUSE_SWITCH_COST, "IMAGE_FORMATS":IMAGE_FORMATS,

files/templates/chat.html

@@ -1,9 +1,4 @@
 {%- extends 'root.html' -%}
-{% if IS_LOCALHOST %}
-	{% set csp="script-src 'self' 'unsafe-inline' rdrama.net; connect-src 'self'; object-src 'none';" %}
-{% else %}
-	{% set csp=none %}
-{% endif %}
 {% block pagetitle %}Chat{% endblock %}
 {% block pagetype %}chat{% endblock %}
 {% block body %}

files/templates/default.html

@@ -1,5 +1,4 @@
 {%- extends 'root.html' -%}
-{% set csp = CONTENT_SECURITY_POLICY_HOME if request.path == '/' else CONTENT_SECURITY_POLICY_DEFAULT %}
 {% block body_attributes %}id="{% if request.path != '/comments' %}{% block pagetype %}frontpage{% endblock %}{% endif %}" {% if SITE_NAME == 'rDrama' and v and (v.is_banned or v.agendaposter) %}style="overflow-x: hidden;background:url(/assets/images/backgrounds/anime/1.webp?v=3) center center fixed; background-color: var(--background)"{% elif v and v.background %}style="{% if path != '/formatting' %}overflow-x: hidden; {% endif %} background:url(/assets/images/backgrounds/{{v.background}}?v=3) center center fixed; background-color: var(--background){% if 'anime' not in v.background %};background-size: cover{% endif %}"{% elif not v %}style="{% if path != '/formatting' %}overflow-x: hidden; {% endif %} background:url(/assets/images/backgrounds/glitter/1.webp?v=3) center center fixed; background-color: var(--background);background-size: cover"{% endif %}{% endblock %}
 {% block body %}
 {% block banner %}

files/templates/root.html

@@ -7,15 +7,11 @@
 {% endblock %}
 {%- import 'util/macros.html' as macros with context -%}
 {%- import 'util/html_head.html' as html_head with context -%}
-{%- if request.path == '/' -%}
-	{%- set csp=CONTENT_SECURITY_POLICY_HOME -%}
-{%- endif -%}
 <!DOCTYPE html>
 <html lang="en">
 	<head>
 	{% block head %}
 		<meta charset="utf-8">
-		<meta http-equiv="Content-Security-Policy" content="{{csp | default(CONTENT_SECURITY_POLICY_DEFAULT, true) | safe}}">
 		{% block title %}<title>{% block pagetitle %}if you see this pls report it as a bug &lt;3{% endblock %} - {{SITE_NAME}}</title>{% endblock %}
 		{{html_head.page_meta(self.pagetitle() or none)}}
 		{{html_head.javascript() if root_scope.js}}

nginx.conf

@@ -8,6 +8,7 @@ server {
 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
 	add_header X-Frame-Options "deny";
 	add_header X-Content-Type-Options "nosniff";
+	add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' challenges.cloudflare.com; connect-src 'self' tls-use1.fpapi.io api.fpjs.io 00bb6d59-7b11-4339-b1ae-b1f1259d1316.pushnotifications.pusher.com; object-src 'none';";
 
 	location / {
 		proxy_pass http://localhost:5000/;