Skip to content

Commit

Permalink
Expand responses to include CSP (per #187) (#200)
Browse files Browse the repository at this point in the history
* Expand responses to include CSP (per #187)

* Bump server-config-test to 1.2.0
  • Loading branch information
Malvoz authored and LeoColomb committed Oct 25, 2019
1 parent c11d934 commit d656422
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 3 deletions.
2 changes: 1 addition & 1 deletion .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
include:
- name: "Server Config Tests"
install:
- curl -sSL https://github.com/h5bp/server-configs-test/releases/download/1.0.6/server-configs-test.tar.gz | tar -xz -C test/
- curl -sSL https://github.com/h5bp/server-configs-test/releases/download/1.2.0/server-configs-test.tar.gz | tar -xz -C test/
- ./bin/build.sh test/fixtures/.htaccess test/build/htaccess_fixture.conf
before_script:
- docker pull httpd
Expand Down
11 changes: 9 additions & 2 deletions src/security/content-security-policy.conf
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,13 @@
# website itself to be loaded over HTTPS you must include the
# `Strict-Transport-Security` header.
#
# (6) The `Content-Security-Policy` header is included in all responses
# that are able to execute scripting. This includes the commonly used
# file types: HTML, XML and PDF documents. Although Javascript files
# can not execute script in a "browsing context", they are still included
# to target workers:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#CSP_in_workers
#
# To make your CSP implementation easier, you can use an online CSP header
# generator such as:
# https://report-uri.com/home/generate/
Expand All @@ -68,6 +75,6 @@
# https://www.w3.org/TR/CSP/

<IfModule mod_headers.c>
# (1) (2) (3) (4) (5)
Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
# (1) (2) (3) (4) (5) (6)
Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
</IfModule>

0 comments on commit d656422

Please sign in to comment.