Skip to content

Commit

Permalink
Add hash-based CSP exceptionfor SBS (Fixes SURFscz/SBS#764)
Browse files Browse the repository at this point in the history
  • Loading branch information
@baszoetekouw
baszoetekouw committed Dec 8, 2023
1 parent 31a567f commit 703f5c7
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
8 changes: 8 additions & 0 deletions roles/sbs/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,3 +118,11 @@ sbs_mfa_fallback_enabled: true

sbs_ldap_url: "ldap://ldap.example.com/dc=example,dc=com"
sbs_ldap_bind_account: "cn=admin,dc=entity_id,dc=services,dc=sram-tst,dc=surf,dc=nl"

sbs_csp_style_hashes:
- 'sha256-0+ANsgYUJdh56RK8gGvTF2vnriYqvFHfWqtA8xXa+bA='
- 'sha256-3SnfHQolDHbZMbDAPmhrZf1keHiXfj/KJyh2phhFAAY='
- 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='
- 'sha256-Ng6y+QCkPChG4Q49SIfXB5ToIDcDhITtQNFkDBPpCTw='
- 'sha256-orBPipbqpMvkNi+Z+m6qEn0XS6ymmAQE6+FwCNs1FbQ='
- 'sha256-vFt3L2qLqpJmRpcXGbYr2UVSmgSp9VCUzz2lnqWIATw='
2 changes: 1 addition & 1 deletion roles/sbs/templates/sbs-nginx.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ server {

root /opt/sbs/sbs/client/build;

set $csp "default-src 'none'; base-uri 'self'; connect-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; frame-src 'none'; form-action 'self' https://*.{{base_domain}}; frame-ancestors 'none'; block-all-mixed-content;";
set $csp "default-src 'none'; base-uri 'self'; connect-src 'self'; script-src 'self'; style-src 'self' {%- for h in sbs_csp_style_hashes %} '{{h}}'{%endfor%}; img-src 'self' data:; font-src 'self'; frame-src 'none'; form-action 'self' https://*.{{base_domain}}; frame-ancestors 'none'; block-all-mixed-content;";

add_header Content-Security-Policy $csp;

Expand Down

0 comments on commit 703f5c7

Please sign in to comment.