temporarily removed the CSP reponse headers again as they are currently

creating more troubles than they help to improve the security. This definitly needs more thoughts and work before we can enable these security response headers again. This closes #620 and refs #619.
jens-maus · May 7, 2019 · 338307e · 338307e
1 parent 1d9eeba
commit 338307e
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/buildroot-external/overlay/base/etc/lighttpd/conf.d/setenv.conf b/buildroot-external/overlay/base/etc/lighttpd/conf.d/setenv.conf
@@ -3,9 +3,12 @@ setenv.set-response-header = (
 )
 
 setenv.add-response-header = (
-  "Content-Security-Policy" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com https://gitcdn.xyz ;style-src 'unsafe-inline' 'self';img-src 'self' data: ;connect-src 'self' http://*:8088",
-  "X-Content-Security-Policy" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com https://gitcdn.xyz ;style-src 'unsafe-inline' 'self';img-src 'self' data: ;connect-src 'self' http://*:8088",
-  "X-WebKit-CSP" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com https://gitcdn.xyz ;style-src 'unsafe-inline' 'self';img-src 'self' data: ;connect-src 'self' http://*:8088",
+  # disabled CSP response headers due to
+  # compatibility issues (see https://github.com/jens-maus/RaspberryMatic/pull/619)
+  #"Content-Security-Policy" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com *.homematic.com:8443 https://gitcdn.xyz ;style-src 'unsafe-inline' 'self';img-src 'self' data: ;connect-src 'self' http://*:8088",
+  #"X-Content-Security-Policy" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com *.homematic.com:8443 https://gitcdn.xyz ;style-src 'unsafe-inline' 'self';img-src 'self' data: ;connect-src 'self' http://*:8088",
+  #"X-WebKit-CSP" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.homematic.com *.homematic.com:8443 https://gitcdn.xyz ;style-src 'unsafe-inline' 'self';img-src 'self' data: ;connect-src 'self' http://*:8088",
+
   "X-Frame-Options" => "SAMEORIGIN",
   "X-Content-Type-Options" => "nosniff",
   "X-XSS-Protection" => "1; mode=block",