From 703f5c7d950191dbde2cc86453e61a65f4aeebee Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Fri, 8 Dec 2023 10:00:10 +0100 Subject: [PATCH] Add hash-based CSP exceptionfor SBS (Fixes https://github.com/SURFscz/SBS/issues/764) --- roles/sbs/defaults/main.yml | 8 ++++++++ roles/sbs/templates/sbs-nginx.j2 | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/sbs/defaults/main.yml b/roles/sbs/defaults/main.yml index a5841827..f9d3e68c 100644 --- a/roles/sbs/defaults/main.yml +++ b/roles/sbs/defaults/main.yml @@ -118,3 +118,11 @@ sbs_mfa_fallback_enabled: true sbs_ldap_url: "ldap://ldap.example.com/dc=example,dc=com" sbs_ldap_bind_account: "cn=admin,dc=entity_id,dc=services,dc=sram-tst,dc=surf,dc=nl" + +sbs_csp_style_hashes: + - 'sha256-0+ANsgYUJdh56RK8gGvTF2vnriYqvFHfWqtA8xXa+bA=' + - 'sha256-3SnfHQolDHbZMbDAPmhrZf1keHiXfj/KJyh2phhFAAY=' + - 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' + - 'sha256-Ng6y+QCkPChG4Q49SIfXB5ToIDcDhITtQNFkDBPpCTw=' + - 'sha256-orBPipbqpMvkNi+Z+m6qEn0XS6ymmAQE6+FwCNs1FbQ=' + - 'sha256-vFt3L2qLqpJmRpcXGbYr2UVSmgSp9VCUzz2lnqWIATw=' diff --git a/roles/sbs/templates/sbs-nginx.j2 b/roles/sbs/templates/sbs-nginx.j2 index d157403d..5cc0a001 100644 --- a/roles/sbs/templates/sbs-nginx.j2 +++ b/roles/sbs/templates/sbs-nginx.j2 @@ -7,7 +7,7 @@ server { root /opt/sbs/sbs/client/build; - set $csp "default-src 'none'; base-uri 'self'; connect-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; frame-src 'none'; form-action 'self' https://*.{{base_domain}}; frame-ancestors 'none'; block-all-mixed-content;"; + set $csp "default-src 'none'; base-uri 'self'; connect-src 'self'; script-src 'self'; style-src 'self' {%- for h in sbs_csp_style_hashes %} '{{h}}'{%endfor%}; img-src 'self' data:; font-src 'self'; frame-src 'none'; form-action 'self' https://*.{{base_domain}}; frame-ancestors 'none'; block-all-mixed-content;"; add_header Content-Security-Policy $csp;