From 254c3edc8d730c27f599bbbe5f2a417f856131f8 Mon Sep 17 00:00:00 2001 From: Timmy Willison Date: Thu, 5 Sep 2024 09:43:56 -0400 Subject: [PATCH 1/4] nginx: use Reporting-Endpoints header to set report-to --- modules/profile/templates/contentorigin/site.nginx.erb | 3 ++- modules/profile/templates/gruntjscom/site.nginx.erb | 3 ++- modules/profile/templates/miscweb/site.nginx.erb | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/modules/profile/templates/contentorigin/site.nginx.erb b/modules/profile/templates/contentorigin/site.nginx.erb index 4c352aa..66b4642 100644 --- a/modules/profile/templates/contentorigin/site.nginx.erb +++ b/modules/profile/templates/contentorigin/site.nginx.erb @@ -14,7 +14,8 @@ server { server_tokens off; # Add Content Security Policy headers - add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/"; + add_header Reporting-Endpoints "csp-endpoint=\"https://csp-report-api.openjs-foundation.workers.dev/\"" + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to csp-endpoint"; location / { root /srv/www/content.jquery.com; diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb index 57cdc81..8b95ef6 100644 --- a/modules/profile/templates/gruntjscom/site.nginx.erb +++ b/modules/profile/templates/gruntjscom/site.nginx.erb @@ -18,7 +18,8 @@ server { proxy_buffering off; # Add Content Security Policy headers - add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/" always; + add_header Reporting-Endpoints "csp-endpoint=\"https://csp-report-api.openjs-foundation.workers.dev/\"" + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to csp-endpoint" always; } location /.well-known/acme-challenge { diff --git a/modules/profile/templates/miscweb/site.nginx.erb b/modules/profile/templates/miscweb/site.nginx.erb index fd8d111..f2adc10 100644 --- a/modules/profile/templates/miscweb/site.nginx.erb +++ b/modules/profile/templates/miscweb/site.nginx.erb @@ -19,7 +19,8 @@ server { root /srv/www/<%= @fqdn %><%= @site['webroot'] or '' %>; # Add Content Security Policy headers - add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/"; + add_header Reporting-Endpoints "csp-endpoint=\"https://csp-report-api.openjs-foundation.workers.dev/\"" + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to csp-endpoint"; <%- if @site['allow_php'] -%> index index.php index.html; From b7d508eb466263c06a12cfe51a831ce453cf227a Mon Sep 17 00:00:00 2001 From: Timmy Willison Date: Thu, 5 Sep 2024 10:14:37 -0400 Subject: [PATCH 2/4] nginx:grunt: update CSP header to account for scripts/styles on gruntjs.com --- modules/profile/templates/gruntjscom/site.nginx.erb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb index 8b95ef6..80088bd 100644 --- a/modules/profile/templates/gruntjscom/site.nginx.erb +++ b/modules/profile/templates/gruntjscom/site.nginx.erb @@ -19,7 +19,8 @@ server { # Add Content Security Policy headers add_header Reporting-Endpoints "csp-endpoint=\"https://csp-report-api.openjs-foundation.workers.dev/\"" - add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to csp-endpoint" always; + # The SHAs are for inline GA scripts + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' revive.bocoup.com www.google-analytics.com 'sha256-jl/4AZjT8o/P6SGURO7MWYC9FWxqz2COCD/1XBPchLU=' 'sha256-BpeEnlj1KCWLiGFbROjXPqTiovWDb243qYdjW2miRrc='; connect-src 'self'; img-src 'self'; style-src 'self' fonts.googleapis.com; report-to csp-endpoint;" always; } location /.well-known/acme-challenge { From 969d6d72155135963ed572a1a93d67e1812ca3c6 Mon Sep 17 00:00:00 2001 From: Timmy Willison Date: Thu, 5 Sep 2024 11:14:19 -0400 Subject: [PATCH 3/4] nginx: use both report-uri and report-to directives --- modules/profile/templates/contentorigin/site.nginx.erb | 2 +- modules/profile/templates/gruntjscom/site.nginx.erb | 2 +- modules/profile/templates/miscweb/site.nginx.erb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/profile/templates/contentorigin/site.nginx.erb b/modules/profile/templates/contentorigin/site.nginx.erb index 66b4642..13f713c 100644 --- a/modules/profile/templates/contentorigin/site.nginx.erb +++ b/modules/profile/templates/contentorigin/site.nginx.erb @@ -15,7 +15,7 @@ server { # Add Content Security Policy headers add_header Reporting-Endpoints "csp-endpoint=\"https://csp-report-api.openjs-foundation.workers.dev/\"" - add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to csp-endpoint"; + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint"; location / { root /srv/www/content.jquery.com; diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb index 80088bd..9227762 100644 --- a/modules/profile/templates/gruntjscom/site.nginx.erb +++ b/modules/profile/templates/gruntjscom/site.nginx.erb @@ -20,7 +20,7 @@ server { # Add Content Security Policy headers add_header Reporting-Endpoints "csp-endpoint=\"https://csp-report-api.openjs-foundation.workers.dev/\"" # The SHAs are for inline GA scripts - add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' revive.bocoup.com www.google-analytics.com 'sha256-jl/4AZjT8o/P6SGURO7MWYC9FWxqz2COCD/1XBPchLU=' 'sha256-BpeEnlj1KCWLiGFbROjXPqTiovWDb243qYdjW2miRrc='; connect-src 'self'; img-src 'self'; style-src 'self' fonts.googleapis.com; report-to csp-endpoint;" always; + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' revive.bocoup.com www.google-analytics.com 'sha256-jl/4AZjT8o/P6SGURO7MWYC9FWxqz2COCD/1XBPchLU=' 'sha256-BpeEnlj1KCWLiGFbROjXPqTiovWDb243qYdjW2miRrc='; connect-src 'self'; img-src 'self'; style-src 'self' fonts.googleapis.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint;" always; } location /.well-known/acme-challenge { diff --git a/modules/profile/templates/miscweb/site.nginx.erb b/modules/profile/templates/miscweb/site.nginx.erb index f2adc10..8e0e9a5 100644 --- a/modules/profile/templates/miscweb/site.nginx.erb +++ b/modules/profile/templates/miscweb/site.nginx.erb @@ -20,7 +20,7 @@ server { # Add Content Security Policy headers add_header Reporting-Endpoints "csp-endpoint=\"https://csp-report-api.openjs-foundation.workers.dev/\"" - add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to csp-endpoint"; + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint"; <%- if @site['allow_php'] -%> index index.php index.html; From 6188614e2caca0963f19f26c6a6e41af073fe082 Mon Sep 17 00:00:00 2001 From: Timmy Willison Date: Fri, 6 Sep 2024 10:53:01 -0400 Subject: [PATCH 4/4] fixup! remove special cases for grunt --- modules/profile/templates/gruntjscom/site.nginx.erb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb index 9227762..7cc1d2d 100644 --- a/modules/profile/templates/gruntjscom/site.nginx.erb +++ b/modules/profile/templates/gruntjscom/site.nginx.erb @@ -19,8 +19,7 @@ server { # Add Content Security Policy headers add_header Reporting-Endpoints "csp-endpoint=\"https://csp-report-api.openjs-foundation.workers.dev/\"" - # The SHAs are for inline GA scripts - add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' revive.bocoup.com www.google-analytics.com 'sha256-jl/4AZjT8o/P6SGURO7MWYC9FWxqz2COCD/1XBPchLU=' 'sha256-BpeEnlj1KCWLiGFbROjXPqTiovWDb243qYdjW2miRrc='; connect-src 'self'; img-src 'self'; style-src 'self' fonts.googleapis.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint;" always; + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint;" always; } location /.well-known/acme-challenge {