From 49b968940be972ef5a5e6e2b221bed69412b9bb3 Mon Sep 17 00:00:00 2001 From: Timmy Willison Date: Fri, 29 Nov 2024 19:46:04 -0500 Subject: [PATCH] miscweb: add more CSP exceptions for demos.jquerymobile.com - script-src: load scripts from code.jquery.com - style-src: allow some inline styles on certain pages --- hieradata/environments/production/roles/miscweb.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hieradata/environments/production/roles/miscweb.yaml b/hieradata/environments/production/roles/miscweb.yaml index 1e3c8ce..fb8cdc4 100644 --- a/hieradata/environments/production/roles/miscweb.yaml +++ b/hieradata/environments/production/roles/miscweb.yaml @@ -19,9 +19,12 @@ profile::miscweb::sites: branch: main allow_php: true # script-src: unsafe-eval for syntax highlighting on all pages + # script-src: load scripts from code.jquery.com # img-src: data: for inline SVGs # style-src|font-src: load fonts from Google Fonts - csp_header: default-src 'self'; script-src 'self' 'unsafe-eval'; img-src 'self' data:; style-src 'self' fonts.googleapis.com; font-src 'self' fonts.gstatic.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint + # style-src: unsafe-inline for supports tests in + # jQuery 1.7.3 and jQuery Mobile 1.3.0 + csp_header: default-src 'self'; script-src 'self' 'unsafe-eval' code.jquery.com; img-src 'self' data:; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.gstatic.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint podcast.jquery.com: repository: name: jquery/podcast.jquery.com