content/blog/201609-letsencrypt.rst: Update the Content-Security-Policy header information after a test showing differing behavior between the services.

1 files changed, 6 insertions, 4 deletions

diff --git a/content/blog/201609-letsencrypt.rst b/content/blog/201609-letsencrypt.rst
index a3453ac..a6d6c61 100644
--- a/content/blog/201609-letsencrypt.rst
+++ b/content/blog/201609-letsencrypt.rst
@@ -302,14 +302,13 @@ moar snippets
 
   .. code:: nginx
 
-    add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval'";
     add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
     add_header X-Content-Type-Options nosniff;
     add_header X-Frame-Options "SAMEORIGIN";
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Robots-Tag "none";
 
-| A little note on the **Content-Security-Policy** here: Usually one would try to have the targets (**default-src**, **connect-src**, **img-src**, **script-src**, **style-src**) be set to *'self'*. Due to the inline :abbr:`CSS (Cascading Style Sheets)` and Javascript in services such as |website-owncloud|, this is not possible though, so *'unsafe_inline'* and *'unsafe_eval'* have to be added as well.
+| A little note on the **Content-Security-Policy** here: Usually one would try to have the targets (**default-src**, **connect-src**, **img-src**, **script-src**, **style-src**) be set to *'self'*. Due to the inline :abbr:`CSS (Cascading Style Sheets)` and Javascript in services such as |website-owncloud| and |website-roundcube|, this is not possible though, so *'unsafe_inline'* and *'unsafe_eval'* have to be added as well for some of them.
 | At this point you could of course also choose to create differing *'security_headers'* inclusions for the services you run.
 | Depending on which are running, you will want to monitor your developer console in your browser closely after using this security header. It will tell you, if CFP is blocking some resource (and possibly making it unusable).
 
@@ -351,6 +350,7 @@ domain configurations
       error_page 500 502 503 504  /50x.html;
       # include security headers
       include security_headers.conf;
+      add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'";
       # include the letsencrypt snippet
       include letsencrypt-challenge.conf;
 
@@ -404,8 +404,9 @@ domain configurations
       error_log /var/log/nginx/error.cloud.domain.log;
       #this is to avoid Request Entity Too Large error
       client_max_body_size 10G;
-      # include security headers
-      include security_headers.conf;
+      # include security headers (the rest are set by ownCloud itself already)
+      add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval'";
+      add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
       # include the letsencrypt snippet
       include letsencrypt-challenge.conf;
 
@@ -485,6 +486,7 @@ domain configurations
       client_max_body_size 20M;
       # include security headers
       include security_headers.conf;
+      add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'";
       # include the request-check snippet
       include letsencrypt-challenge.conf;
       # include the letsencrypt snippet