From aafee21c120045f5fc1780bf2f78733c8727de6a Mon Sep 17 00:00:00 2001
From: dcog989 <89043002+dcog989@users.noreply.github.com>
Date: Tue, 12 Mar 2024 10:57:48 +0000
Subject: [PATCH 1/5] Format Content-Security-Policy header directives #359
---
h5bp/security/content-security-policy.conf | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf
index c2544f00..3d57a9bd 100644
--- a/h5bp/security/content-security-policy.conf
+++ b/h5bp/security/content-security-policy.conf
@@ -82,6 +82,13 @@
# https://content-security-policy.com/
- # (1) (2) (3) (4) (5) (6) (7)
- Header always set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; object-src 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
+ Header always set Content-Security-Policy "
+# (1) (2) (3) (4) (5) (6) (7)
+ default-src 'self';
+ base-uri 'none';
+ form-action 'self';
+ frame-ancestors 'none';
+ object-src 'none';
+ upgrade-insecure-requests;"
+ "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
From c6edca9b99ddf524a917e6cb9da5209ae17711f0 Mon Sep 17 00:00:00 2001
From: dcog989 <89043002+dcog989@users.noreply.github.com>
Date: Tue, 12 Mar 2024 22:31:01 +0000
Subject: [PATCH 2/5] Update content-security-policy.conf
Fix incorrect location of comment line.
---
h5bp/security/content-security-policy.conf | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf
index 3d57a9bd..382f49ca 100644
--- a/h5bp/security/content-security-policy.conf
+++ b/h5bp/security/content-security-policy.conf
@@ -82,13 +82,13 @@
# https://content-security-policy.com/
- Header always set Content-Security-Policy "
-# (1) (2) (3) (4) (5) (6) (7)
- default-src 'self';
- base-uri 'none';
- form-action 'self';
- frame-ancestors 'none';
- object-src 'none';
- upgrade-insecure-requests;"
- "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
+ # (1) (2) (3) (4) (5) (6) (7)
+ Header always set Content-Security-Policy "
+ default-src 'self';
+ base-uri 'none';
+ form-action 'self';
+ frame-ancestors 'none';
+ object-src 'none';
+ upgrade-insecure-requests;"
+ "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
From 83b6b66195750b1f9819db4a12d8294329b17c99 Mon Sep 17 00:00:00 2001
From: dcog989 <89043002+dcog989@users.noreply.github.com>
Date: Thu, 14 Mar 2024 09:21:56 +0000
Subject: [PATCH 3/5] Update content-security-policy.conf
Add backslashes as per https://github.com/h5bp/server-configs-apache/pull/362#pullrequestreview-1932753887
---
h5bp/security/content-security-policy.conf | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf
index 382f49ca..b8e84ddc 100644
--- a/h5bp/security/content-security-policy.conf
+++ b/h5bp/security/content-security-policy.conf
@@ -83,12 +83,12 @@
# (1) (2) (3) (4) (5) (6) (7)
- Header always set Content-Security-Policy "
- default-src 'self';
- base-uri 'none';
- form-action 'self';
- frame-ancestors 'none';
- object-src 'none';
- upgrade-insecure-requests;"
+ Header always set Content-Security-Policy "\
+ default-src 'self';\
+ base-uri 'none';\
+ form-action 'self';\
+ frame-ancestors 'none';\
+ object-src 'none';\
+ upgrade-insecure-requests;"\
"expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
From 7ea0e1bb818c9a114e6a3d9960273afef1de0563 Mon Sep 17 00:00:00 2001
From: dcog989 <89043002+dcog989@users.noreply.github.com>
Date: Thu, 14 Mar 2024 09:27:52 +0000
Subject: [PATCH 4/5] Update content-security-policy.conf
---
h5bp/security/content-security-policy.conf | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf
index b8e84ddc..842d5c76 100644
--- a/h5bp/security/content-security-policy.conf
+++ b/h5bp/security/content-security-policy.conf
@@ -83,12 +83,12 @@
# (1) (2) (3) (4) (5) (6) (7)
- Header always set Content-Security-Policy "\
- default-src 'self';\
- base-uri 'none';\
- form-action 'self';\
- frame-ancestors 'none';\
- object-src 'none';\
- upgrade-insecure-requests;"\
+ Header always set Content-Security-Policy " \
+ default-src 'self'; \
+ base-uri 'none'; \
+ form-action 'self'; \
+ frame-ancestors 'none'; \
+ object-src 'none'; \
+ upgrade-insecure-requests;" \
"expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
From 017ae3c37af4794b4dba7d60e0031f7e9139716a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Colombaro?=
Date: Mon, 18 Mar 2024 11:21:08 +0100
Subject: [PATCH 5/5] Cleanup doc & style
---
h5bp/security/content-security-policy.conf | 34 +++++++++++-----------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf
index 842d5c76..b55d3461 100644
--- a/h5bp/security/content-security-policy.conf
+++ b/h5bp/security/content-security-policy.conf
@@ -11,9 +11,9 @@
# There is no policy that fits all websites, you will have to modify the
# `Content-Security-Policy` directives in the example depending on your needs.
#
-# The example policy below aims to:
+# (*) The example policy below aims to:
#
-# (1) Restrict all fetches by default to the origin of the current website by
+# - Restrict all fetches by default to the origin of the current website by
# setting the `default-src` directive to `'self'` - which acts as a
# fallback to all "Fetch directives" (https://developer.mozilla.org/en-US/docs/Glossary/Fetch_directive).
#
@@ -24,17 +24,17 @@
# This restriction also means that you must explicitly define from which
# site(s) your website is allowed to load resources from.
#
-# (2) The `` element is not allowed on the website. This is to prevent
+# - The `` element is not allowed on the website. This is to prevent
# attackers from changing the locations of resources loaded from relative
# URLs.
#
# If you want to use the `` element, then `base-uri 'self'` can be
# used instead.
#
-# (3) Form submissions are only allowed from the current website by setting:
+# - Form submissions are only allowed from the current website by setting:
# `form-action 'self'`.
#
-# (4) Prevents all websites (including your own) from embedding your webpages
+# - Prevents all websites (including your own) from embedding your webpages
# within e.g. the `