From aafee21c120045f5fc1780bf2f78733c8727de6a Mon Sep 17 00:00:00 2001 From: dcog989 <89043002+dcog989@users.noreply.github.com> Date: Tue, 12 Mar 2024 10:57:48 +0000 Subject: [PATCH 1/5] Format Content-Security-Policy header directives #359 --- h5bp/security/content-security-policy.conf | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf index c2544f00..3d57a9bd 100644 --- a/h5bp/security/content-security-policy.conf +++ b/h5bp/security/content-security-policy.conf @@ -82,6 +82,13 @@ # https://content-security-policy.com/ - # (1) (2) (3) (4) (5) (6) (7) - Header always set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; object-src 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i" + Header always set Content-Security-Policy " +# (1) (2) (3) (4) (5) (6) (7) + default-src 'self'; + base-uri 'none'; + form-action 'self'; + frame-ancestors 'none'; + object-src 'none'; + upgrade-insecure-requests;" + "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i" From c6edca9b99ddf524a917e6cb9da5209ae17711f0 Mon Sep 17 00:00:00 2001 From: dcog989 <89043002+dcog989@users.noreply.github.com> Date: Tue, 12 Mar 2024 22:31:01 +0000 Subject: [PATCH 2/5] Update content-security-policy.conf Fix incorrect location of comment line. --- h5bp/security/content-security-policy.conf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf index 3d57a9bd..382f49ca 100644 --- a/h5bp/security/content-security-policy.conf +++ b/h5bp/security/content-security-policy.conf @@ -82,13 +82,13 @@ # https://content-security-policy.com/ - Header always set Content-Security-Policy " -# (1) (2) (3) (4) (5) (6) (7) - default-src 'self'; - base-uri 'none'; - form-action 'self'; - frame-ancestors 'none'; - object-src 'none'; - upgrade-insecure-requests;" - "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i" + # (1) (2) (3) (4) (5) (6) (7) + Header always set Content-Security-Policy " + default-src 'self'; + base-uri 'none'; + form-action 'self'; + frame-ancestors 'none'; + object-src 'none'; + upgrade-insecure-requests;" + "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i" From 83b6b66195750b1f9819db4a12d8294329b17c99 Mon Sep 17 00:00:00 2001 From: dcog989 <89043002+dcog989@users.noreply.github.com> Date: Thu, 14 Mar 2024 09:21:56 +0000 Subject: [PATCH 3/5] Update content-security-policy.conf Add backslashes as per https://github.com/h5bp/server-configs-apache/pull/362#pullrequestreview-1932753887 --- h5bp/security/content-security-policy.conf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf index 382f49ca..b8e84ddc 100644 --- a/h5bp/security/content-security-policy.conf +++ b/h5bp/security/content-security-policy.conf @@ -83,12 +83,12 @@ # (1) (2) (3) (4) (5) (6) (7) - Header always set Content-Security-Policy " - default-src 'self'; - base-uri 'none'; - form-action 'self'; - frame-ancestors 'none'; - object-src 'none'; - upgrade-insecure-requests;" + Header always set Content-Security-Policy "\ + default-src 'self';\ + base-uri 'none';\ + form-action 'self';\ + frame-ancestors 'none';\ + object-src 'none';\ + upgrade-insecure-requests;"\ "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i" From 7ea0e1bb818c9a114e6a3d9960273afef1de0563 Mon Sep 17 00:00:00 2001 From: dcog989 <89043002+dcog989@users.noreply.github.com> Date: Thu, 14 Mar 2024 09:27:52 +0000 Subject: [PATCH 4/5] Update content-security-policy.conf --- h5bp/security/content-security-policy.conf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf index b8e84ddc..842d5c76 100644 --- a/h5bp/security/content-security-policy.conf +++ b/h5bp/security/content-security-policy.conf @@ -83,12 +83,12 @@ # (1) (2) (3) (4) (5) (6) (7) - Header always set Content-Security-Policy "\ - default-src 'self';\ - base-uri 'none';\ - form-action 'self';\ - frame-ancestors 'none';\ - object-src 'none';\ - upgrade-insecure-requests;"\ + Header always set Content-Security-Policy " \ + default-src 'self'; \ + base-uri 'none'; \ + form-action 'self'; \ + frame-ancestors 'none'; \ + object-src 'none'; \ + upgrade-insecure-requests;" \ "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i" From 017ae3c37af4794b4dba7d60e0031f7e9139716a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Colombaro?= Date: Mon, 18 Mar 2024 11:21:08 +0100 Subject: [PATCH 5/5] Cleanup doc & style --- h5bp/security/content-security-policy.conf | 34 +++++++++++----------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf index 842d5c76..b55d3461 100644 --- a/h5bp/security/content-security-policy.conf +++ b/h5bp/security/content-security-policy.conf @@ -11,9 +11,9 @@ # There is no policy that fits all websites, you will have to modify the # `Content-Security-Policy` directives in the example depending on your needs. # -# The example policy below aims to: +# (*) The example policy below aims to: # -# (1) Restrict all fetches by default to the origin of the current website by +# - Restrict all fetches by default to the origin of the current website by # setting the `default-src` directive to `'self'` - which acts as a # fallback to all "Fetch directives" (https://developer.mozilla.org/en-US/docs/Glossary/Fetch_directive). # @@ -24,17 +24,17 @@ # This restriction also means that you must explicitly define from which # site(s) your website is allowed to load resources from. # -# (2) The `` element is not allowed on the website. This is to prevent +# - The `` element is not allowed on the website. This is to prevent # attackers from changing the locations of resources loaded from relative # URLs. # # If you want to use the `` element, then `base-uri 'self'` can be # used instead. # -# (3) Form submissions are only allowed from the current website by setting: +# - Form submissions are only allowed from the current website by setting: # `form-action 'self'`. # -# (4) Prevents all websites (including your own) from embedding your webpages +# - Prevents all websites (including your own) from embedding your webpages # within e.g. the `