From fd5c89a6fd05ed4034d1a78e9b4714e7c1bfa85d Mon Sep 17 00:00:00 2001
From: Jens Maus <mail@jens-maus.de>
Date: Wed, 10 Apr 2019 13:06:00 +0200
Subject: [PATCH] adapted the latest CSP security patch to include the gitcdn
 URL to query for newer firmware devices for RaspberryMatic. Also added
 "X-WebKit-CSP" response header to serve older webbrowsers as well. In
 addition, neither lighttpd nor ReGa will now output any "Server:" response
 header anymore to prevents detailed analyses on the web server type. This
 refs #597.

---
 .../overlay/base/etc/lighttpd/conf.d/setenv.conf           | 7 ++++---
 buildroot-external/overlay/base/etc/lighttpd/lighttpd.conf | 2 +-
 .../external/overlay/base/etc/lighttpd/lighttpd.conf       | 2 +-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/buildroot-external/overlay/base/etc/lighttpd/conf.d/setenv.conf b/buildroot-external/overlay/base/etc/lighttpd/conf.d/setenv.conf
index 125247c48c..3d85aaccfc 100644
--- a/buildroot-external/overlay/base/etc/lighttpd/conf.d/setenv.conf
+++ b/buildroot-external/overlay/base/etc/lighttpd/conf.d/setenv.conf
@@ -1,10 +1,11 @@
 setenv.set-response-header = (
-  "Server" => "Server"
+  "Server" => ""
 )
 
 setenv.add-response-header = (
-  "Content-Security-Policy" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com;style-src 'unsafe-inline' 'self';img-src 'self' data:",
-  "X-Content-Security-Policy" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com;style-src 'unsafe-inline' 'self';img-src 'self' data:",
+  "Content-Security-Policy" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com https://gitcdn.xyz ;style-src 'unsafe-inline' 'self';img-src 'self' data: ;connect-src 'self' http://*:8088",
+  "X-Content-Security-Policy" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com https://gitcdn.xyz ;style-src 'unsafe-inline' 'self';img-src 'self' data: ;connect-src 'self' http://*:8088",
+  "X-WebKit-CSP" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com https://gitcdn.xyz ;style-src 'unsafe-inline' 'self';img-src 'self' data: ;connect-src 'self' http://*:8088",
   "X-Frame-Options" => "SAMEORIGIN",
   "X-Content-Type-Options" => "nosniff",
   "X-XSS-Protection" => "1; mode=block",
diff --git a/buildroot-external/overlay/base/etc/lighttpd/lighttpd.conf b/buildroot-external/overlay/base/etc/lighttpd/lighttpd.conf
index 89e8c9a202..6aa1dab56e 100755
--- a/buildroot-external/overlay/base/etc/lighttpd/lighttpd.conf
+++ b/buildroot-external/overlay/base/etc/lighttpd/lighttpd.conf
@@ -119,7 +119,7 @@ server.document-root = server_root
 ##
 ## It would be nice to keep it at "lighttpd".
 ##
-#server.tag = "lighttpd"
+server.tag = ""
 
 ##
 ## store a pid file
diff --git a/buildroot-external/package/recovery-system/external/overlay/base/etc/lighttpd/lighttpd.conf b/buildroot-external/package/recovery-system/external/overlay/base/etc/lighttpd/lighttpd.conf
index 10b98c2720..4c682862c6 100755
--- a/buildroot-external/package/recovery-system/external/overlay/base/etc/lighttpd/lighttpd.conf
+++ b/buildroot-external/package/recovery-system/external/overlay/base/etc/lighttpd/lighttpd.conf
@@ -141,7 +141,7 @@ server.document-root = server_root
 ##
 ## It would be nice to keep it at "lighttpd".
 ##
-#server.tag = "lighttpd"
+server.tag = ""
 
 ##
 ## store a pid file