From d61d28909135a5ede4ebbf1e1c9ed97f90b69457 Mon Sep 17 00:00:00 2001
From: Robert Linder <26493779+Malvoz@users.noreply.github.com>
Date: Sun, 28 Jul 2019 14:50:30 +0200
Subject: [PATCH 1/2] Expand responses to include CSP (per #187)

---
 src/security/content-security-policy.conf | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/security/content-security-policy.conf b/src/security/content-security-policy.conf
index 1c8d5b45..e36b2656 100644
--- a/src/security/content-security-policy.conf
+++ b/src/security/content-security-policy.conf
@@ -54,6 +54,13 @@
 #      website itself to be loaded over HTTPS you must include the
 #      `Strict-Transport-Security` header.
 #
+#  (6) The `Content-Security-Policy` header is included in all responses
+#      that are able to execute scripting. This includes the commonly used
+#      file types: HTML, XML and PDF documents. Although Javascript files
+#      can not execute script in a "browsing context", they are still included
+#      to target workers:
+#      https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#CSP_in_workers
+#
 # To make your CSP implementation easier, you can use an online CSP header
 # generator such as:
 # https://report-uri.com/home/generate/
@@ -68,6 +75,6 @@
 # https://www.w3.org/TR/CSP/
 
 <IfModule mod_headers.c>
-    #                                   (1)                 (2)              (3)                 (4)                     (5)
-    Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+    #                                   (1)                 (2)              (3)                 (4)                     (5)                         (6)
+    Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
 </IfModule>

From 22f2382de8f3a1822fed11f1266471239932ee13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Colombaro?= <git@colombaro.fr>
Date: Tue, 30 Jul 2019 14:05:51 +0200
Subject: [PATCH 2/2] Bump server-config-test to 1.2.0

---
 .travis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index f29d1846..44f74136 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -20,7 +20,7 @@ jobs:
   include:
     - name: "Server Config Tests"
       install:
-        - curl -sSL https://github.com/h5bp/server-configs-test/releases/download/1.0.6/server-configs-test.tar.gz | tar -xz -C test/
+        - curl -sSL https://github.com/h5bp/server-configs-test/releases/download/1.2.0/server-configs-test.tar.gz | tar -xz -C test/
         - ./bin/build.sh test/fixtures/.htaccess test/build/htaccess_fixture.conf
       before_script:
         - docker pull httpd