Content Security Policy should be configurable per virtual host #222

basilabbas · 2019-03-14T11:39:58Z

The top-level file nginx.conf defines lines for the Content-Security-Policy:

  # Add Content-Security-Policy for HTML documents.
  # h5bp/security/content-security-policy.conf
  map $sent_http_content_type $content_security_policy {
    ~*text/html "script-src 'self'; object-src 'self'";
  }

This is not practical since the $content_security_policy is different for each virtualhost domain and should be set at the virtual host file level instead of the top level nginx.conf.

The text was updated successfully, but these errors were encountered:

LeoColomb · 2019-03-14T13:00:31Z

Thanks for opening this, @basilabbas!

This is not practical since

Indeed. Actually I'm thinking of removing default activation.

should be set at the virtual host

Maps can't be set in a server{}, only in http{}.
Anyway, that is up to the user to edit the main file to match the wanted config.

LeoColomb added the wontfix This will not be worked on label Mar 14, 2019

LeoColomb changed the title ~~Content Security Policy should be configurable per virtual host instead of having it in the top level nginx.conf file~~ Content Security Policy should be configurable per virtual host Mar 14, 2019

LeoColomb closed this as completed in 29ff09a Mar 15, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Content Security Policy should be configurable per virtual host #222

Content Security Policy should be configurable per virtual host #222

basilabbas commented Mar 14, 2019

LeoColomb commented Mar 14, 2019

Content Security Policy should be configurable per virtual host #222

Content Security Policy should be configurable per virtual host #222

Comments

basilabbas commented Mar 14, 2019

LeoColomb commented Mar 14, 2019