From 8a29c1db52736c599aea04782e48346741b06ae5 Mon Sep 17 00:00:00 2001
From: frju365 <win10@tutanota.com>
Date: Sat, 25 Aug 2018 00:26:40 +0200
Subject: [mod] Add CSP for security

---
 conf/nginx.conf | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'conf/nginx.conf')

diff --git a/conf/nginx.conf b/conf/nginx.conf
index 585109e..eb823e7 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -1,6 +1,9 @@
 # upload max size
 client_max_body_size 100M;
 
+# Content Security Policy : security to avoid launching unsecure script
+add_header Content-Security-Policy "default-src 'none'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' blob: data:; connect-src 'self' wss://$domain;";
+
 # add to v1.4 assets
 root __FINALPATH__/live/public;
 
-- 
cgit v1.2.3-70-g09d2


From 9f983fa602a525d83109d26f3a5e72f5dfa9235f Mon Sep 17 00:00:00 2001
From: frju365 <win10@tutanota.com>
Date: Sat, 25 Aug 2018 00:37:39 +0200
Subject: [fix] object-src

---
 conf/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'conf/nginx.conf')

diff --git a/conf/nginx.conf b/conf/nginx.conf
index eb823e7..562ba8c 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -2,7 +2,7 @@
 client_max_body_size 100M;
 
 # Content Security Policy : security to avoid launching unsecure script
-add_header Content-Security-Policy "default-src 'none'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' blob: data:; connect-src 'self' wss://$domain;";
+add_header Content-Security-Policy "default-src 'none'; font-src 'self'; media-src 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' blob: data:; connect-src 'self' wss://__DOMAIN__;";
 
 # add to v1.4 assets
 root __FINALPATH__/live/public;
-- 
cgit v1.2.3-70-g09d2