Skip to content

Commit 96ae09e

Browse files
authored
fix: use proper CSP for joule on dev (#4419)
1 parent cdbb56d commit 96ae09e

File tree

2 files changed

+3
-2
lines changed

2 files changed

+3
-2
lines changed

index.html

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,8 @@
2424
http-equiv="Content-Security-Policy"
2525
content="
2626
font-src 'self' https://sdk.openui5.org/ https://cdn.jsdelivr.net data:;
27-
script-src 'self' 'unsafe-eval' blob: https://kcp-dev-joule-vfglrzqg.eu12.sapdas.cloud.sap;
27+
script-src 'self' 'unsafe-eval' blob: https://*.sapdas.cloud.sap;
28+
frame-src 'self' https://*.sapdas.cloud.sap https://*.ondemand.com https://*.sap.com;
2829
object-src 'self';
2930
"
3031
/>

nginx/nginx.conf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ http {
3838
root /app/core-ui;
3939

4040
add_header 'Cache-Control' 'public, max-age=300';
41-
add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' https://kcp-dev-joule-vfglrzqg.eu12.sapdas.cloud.sap 'sha256-7fF0zlMDaJyxa8K3gkd0Gnt657Obx/gdAct0hR/pdds=' 'sha256-bjOtDHhqB+wVlyFDAxz9e0RvTn+EEec/Z4mpjUjNvAs=' blob:; frame-src 'self' https://kcp-dev-joule-vfglrzqg.eu12.sapdas.cloud.sap; style-src 'self' 'unsafe-inline'; connect-src 'self' * https://* wss://*; font-src 'self' data:; object-src 'none'; media-src 'self'; form-action 'self'; img-src * data:; worker-src 'self' blob: data:;";
41+
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://*.sapdas.cloud.sap 'sha256-7fF0zlMDaJyxa8K3gkd0Gnt657Obx/gdAct0hR/pdds=' 'sha256-bjOtDHhqB+wVlyFDAxz9e0RvTn+EEec/Z4mpjUjNvAs=' blob:; frame-src 'self' https://*.sapdas.cloud.sap https://*.ondemand.com https://*.sap.com; style-src 'self' 'unsafe-inline'; connect-src 'self' * https://* wss://*; font-src 'self' data:; object-src 'none'; media-src 'self'; form-action 'self'; img-src * data:; worker-src 'self' blob: data:;";
4242
add_header X-Frame-Options 'DENY';
4343
add_header X-Content-Type-Options 'nosniff';
4444
add_header Strict-Transport-Security 'max-age=31536000';

0 commit comments

Comments
 (0)