From e80f7ecacd5aab6c0b76930676bcac634d5b63b5 Mon Sep 17 00:00:00 2001 From: Timmy Willison Date: Sat, 16 Nov 2024 12:15:51 -0500 Subject: [PATCH] Revert "miscweb:grunt: add necessary exceptions to CSP headers" This reverts commit 0bb2e327799acae8db6c80272dfa83797ab06161. --- .../templates/contentorigin/site.nginx.erb | 10 +--------- .../profile/templates/gruntjscom/site.nginx.erb | 12 +----------- modules/profile/templates/miscweb/site.nginx.erb | 15 +-------------- 3 files changed, 3 insertions(+), 34 deletions(-) diff --git a/modules/profile/templates/contentorigin/site.nginx.erb b/modules/profile/templates/contentorigin/site.nginx.erb index 4fa95f9..1cc80b7 100644 --- a/modules/profile/templates/contentorigin/site.nginx.erb +++ b/modules/profile/templates/contentorigin/site.nginx.erb @@ -15,15 +15,7 @@ server { # Add Content Security Policy headers add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'"; - add_header Content-Security-Policy-Report-Only " - default-src 'self'; - script-src 'self' code.jquery.com; - connect-src 'self'; - img-src 'self'; - style-src 'self'; - report-uri https://csp-report-api.openjs-foundation.workers.dev/; - report-to csp-endpoint - "; + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint"; location / { root /srv/www/content.jquery.com; diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb index 4ffc8a4..626f65f 100644 --- a/modules/profile/templates/gruntjscom/site.nginx.erb +++ b/modules/profile/templates/gruntjscom/site.nginx.erb @@ -19,17 +19,7 @@ server { # Add Content Security Policy headers add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'"; - # script-src: add 'unsafe-eval' for the search functionality on gruntjs.com/plugins - # Search will need to be reimplemented to remove this exception. - add_header Content-Security-Policy-Report-Only " - default-src 'self'; - script-src 'self' 'unsafe-eval'; - connect-src 'self'; - img-src 'self'; - style-src 'self'; - report-uri https://csp-report-api.openjs-foundation.workers.dev/; - report-to csp-endpoint - " always; + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint;" always; } location /.well-known/acme-challenge { diff --git a/modules/profile/templates/miscweb/site.nginx.erb b/modules/profile/templates/miscweb/site.nginx.erb index e7eb640..41e5635 100644 --- a/modules/profile/templates/miscweb/site.nginx.erb +++ b/modules/profile/templates/miscweb/site.nginx.erb @@ -20,20 +20,7 @@ server { # Add Content Security Policy headers add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'"; - # script-src: add 'wasm-unsafe-eval' for WebAssembly-driven search on - # bugs.jquery.com, bugs.jqueryui.com, and plugins.jquery.com - # img-src: allow secure.gravatar.com images on plugins.jquery.com - # media-src: allow content.jquery.com media on podcast.jquery.com - add_header Content-Security-Policy-Report-Only " - default-src 'self'; - script-src 'self' 'wasm-unsafe-eval' code.jquery.com; - connect-src 'self'; - img-src 'self' secure.gravatar.com; - style-src 'self'; - media-src 'self' content.jquery.com; - report-uri https://csp-report-api.openjs-foundation.workers.dev/; - report-to csp-endpoint - "; + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint"; <%- if @site['allow_php'] -%> index index.php index.html;