Expand responses to include CSP (per #187) (#200)

* Expand responses to include CSP (per #187) * Bump server-config-test to 1.2.0
h5bp · Oct 25, 2019 · d656422 · d656422
1 parent c11d934
commit d656422
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -20,7 +20,7 @@ jobs:
   include:
     - name: "Server Config Tests"
       install:
-        - curl -sSL https://github.com/h5bp/server-configs-test/releases/download/1.0.6/server-configs-test.tar.gz | tar -xz -C test/
+        - curl -sSL https://github.com/h5bp/server-configs-test/releases/download/1.2.0/server-configs-test.tar.gz | tar -xz -C test/
         - ./bin/build.sh test/fixtures/.htaccess test/build/htaccess_fixture.conf
       before_script:
         - docker pull httpd

diff --git a/src/security/content-security-policy.conf b/src/security/content-security-policy.conf
@@ -54,6 +54,13 @@
 #      website itself to be loaded over HTTPS you must include the
 #      `Strict-Transport-Security` header.
 #
+#  (6) The `Content-Security-Policy` header is included in all responses
+#      that are able to execute scripting. This includes the commonly used
+#      file types: HTML, XML and PDF documents. Although Javascript files
+#      can not execute script in a "browsing context", they are still included
+#      to target workers:
+#      https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#CSP_in_workers
+#
 # To make your CSP implementation easier, you can use an online CSP header
 # generator such as:
 # https://report-uri.com/home/generate/
@@ -68,6 +75,6 @@
 # https://www.w3.org/TR/CSP/
 
 <IfModule mod_headers.c>
-    #                                   (1)                 (2)              (3)                 (4)                     (5)
-    Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+    #                                   (1)                 (2)              (3)                 (4)                     (5)                         (6)
+    Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
 </IfModule>