From 7bc47902a135bfd44edd353930b96f25e9055e40 Mon Sep 17 00:00:00 2001
From: Federico Capoano <f.capoano@openwisp.io>
Date: Wed, 22 May 2024 12:55:51 -0400
Subject: [PATCH 1/2] [fix] Include allowed_hostnames in nginx
 Content-Security-Policy #366

Fixes #366
---
 README.md         | 7 ++-----
 defaults/main.yml | 4 ++--
 tasks/nginx.yml   | 1 +
 3 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 647c20f6..60fa871c 100644
--- a/README.md
+++ b/README.md
@@ -1032,12 +1032,9 @@ Below are listed all the variables you can customize (you may also want to take
     # nginx error log configuration
     openwisp2_nginx_access_log: "{{ openwisp2_path }}/log/nginx.access.log"
     openwisp2_nginx_error_log: "{{ openwisp2_path }}/log/nginx.error.log error"
-    # nginx Content Security Policy header
+    # nginx Content Security Policy header, customize if needed
     openwisp2_nginx_csp: >
-      "default-src http: https: data: blob: 'unsafe-inline';
-      script-src 'unsafe-eval' https: 'unsafe-inline' 'self';
-      frame-ancestors 'self'; connect-src https://{{ inventory_hostname }} wss: 'self';
-      worker-src https://{{ inventory_hostname }} blob: 'self';" always;
+      CUSTOM_NGINX_SECURITY_POLICY
     # uwsgi gid, omitted by default
     openwisp2_uwsgi_gid: null
     # number of uWSGI process to spawn. Default value is 1.
diff --git a/defaults/main.yml b/defaults/main.yml
index 24873961..13a0c2e8 100755
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -62,8 +62,8 @@ openwisp2_nginx_client_max_body_size: 20M
 openwisp2_nginx_csp: >
     "default-src http: https: data: blob: 'unsafe-inline';
     script-src 'unsafe-eval' https: 'unsafe-inline' 'self';
-    frame-ancestors 'self'; connect-src https://{{ inventory_hostname }} wss: 'self';
-    worker-src https://{{ inventory_hostname }} blob: 'self';" always;
+    frame-ancestors 'self'; connect-src https://{{ inventory_hostname }}{% for host in openwisp2_allowed_hosts %} https://{{ host }}{% endfor %} wss: 'self';
+    worker-src https://{{ inventory_hostname }}{% for host in openwisp2_allowed_hosts %} https://{{ host }}{% endfor %} blob: 'self';" always;
 openwisp2_uwsgi_gid: null
 openwisp2_admin_allowed_network: null
 openwisp2_install_ntp: true
diff --git a/tasks/nginx.yml b/tasks/nginx.yml
index 20c609ac..c4f7a1b1 100644
--- a/tasks/nginx.yml
+++ b/tasks/nginx.yml
@@ -63,6 +63,7 @@
     dest: "{{ openwisp2_path }}/nginx-conf/openwisp2/security.conf"
     mode: 0644
   notify: Restart nginx
+  tags: [nginx_security]
 
 - name: Nginx site available
   template:

From cf0f6c1e79021cda053e2bbf642b7921b2c7888f Mon Sep 17 00:00:00 2001
From: Federico Capoano <f.capoano@openwisp.io>
Date: Wed, 22 May 2024 14:54:55 -0400
Subject: [PATCH 2/2] [ci] Avoid installing requests 2.32

This request release is bugged.
https://github.com/ansible-community/molecule-plugins/issues/256
---
 .github/workflows/ci.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a58b075a..2cf0fd01 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -39,6 +39,8 @@ jobs:
         run: |
           pip install molecule molecule-plugins[docker] yamllint ansible-lint docker
           pip install openwisp-utils[qa]
+          # https://github.com/ansible-community/molecule-plugins/issues/256
+          python -m pip install 'requests<2.32'
 
       - name: Install Ansible Galaxy dependencies
         run: ansible-galaxy collection install "community.general:>=3.6.0"