diff --git a/.travis.yml b/.travis.yml index f29d1846..44f74136 100644 --- a/.travis.yml +++ b/.travis.yml @@ -20,7 +20,7 @@ jobs: include: - name: "Server Config Tests" install: - - curl -sSL https://github.com/h5bp/server-configs-test/releases/download/1.0.6/server-configs-test.tar.gz | tar -xz -C test/ + - curl -sSL https://github.com/h5bp/server-configs-test/releases/download/1.2.0/server-configs-test.tar.gz | tar -xz -C test/ - ./bin/build.sh test/fixtures/.htaccess test/build/htaccess_fixture.conf before_script: - docker pull httpd diff --git a/src/security/content-security-policy.conf b/src/security/content-security-policy.conf index 1c8d5b45..e36b2656 100644 --- a/src/security/content-security-policy.conf +++ b/src/security/content-security-policy.conf @@ -54,6 +54,13 @@ # website itself to be loaded over HTTPS you must include the # `Strict-Transport-Security` header. # +# (6) The `Content-Security-Policy` header is included in all responses +# that are able to execute scripting. This includes the commonly used +# file types: HTML, XML and PDF documents. Although Javascript files +# can not execute script in a "browsing context", they are still included +# to target workers: +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#CSP_in_workers +# # To make your CSP implementation easier, you can use an online CSP header # generator such as: # https://report-uri.com/home/generate/ @@ -68,6 +75,6 @@ # https://www.w3.org/TR/CSP/ - # (1) (2) (3) (4) (5) - Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text/html#i" + # (1) (2) (3) (4) (5) (6) + Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"