Skip to content

Commit

Permalink
Update apache header content-security-policy
Browse files Browse the repository at this point in the history 
updates:
- object-src ManageIQ/manageiq#23001
- font-src img-src, style-src ManageIQ/manageiq#21822
- connect-src ManageIQ/manageiq-ui-classic#8227
- style-src, script-src: ManageIQ/manageiq#4647
  • Loading branch information
@kbrock
kbrock committed Apr 25, 2024
1 parent e078bb3 commit 269999a
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions COPY/etc/httpd/conf.d/manageiq-https-application.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ SSLCertificateKeyFile /var/www/miq/vmdb/certs/server.cer.key

<Location /assets/>
Header unset ETag
Header set Content-Security-Policy "default-src 'self'; child-src 'self'; connect-src 'self'; font-src 'self' fonts.gstatic.com; script-src 'self'; style-src 'self'; report-uri /dashboard/csp_report"
Header set Content-Security-Policy "default-src 'self'; child-src 'self'; connect-src 'self' fonts.gstatic.com; font-src 'self' fonts.gstatic.com fonts.googleapis.com; img-src 'self' data:; object-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self' fonts.googleapis.com fonts.gstatic.com; report-uri /dashboard/csp_report"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Permitted-Cross-Domain-Policies "none"
Expand All @@ -37,7 +37,7 @@ SSLCertificateKeyFile /var/www/miq/vmdb/certs/server.cer.key

<Location /packs/>
Header unset ETag
Header set Content-Security-Policy "default-src 'self'; child-src 'self'; connect-src 'self'; font-src 'self' fonts.gstatic.com; script-src 'self'; style-src 'self'; report-uri /dashboard/csp_report"
Header set Content-Security-Policy "default-src 'self'; child-src 'self'; connect-src 'self' fonts.gstatic.com; font-src 'self' fonts.gstatic.com fonts.googleapis.com; img-src 'self' data:; object-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self' fonts.googleapis.com fonts.gstatic.com; report-uri /dashboard/csp_report"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Permitted-Cross-Domain-Policies "none"
Expand Down

0 comments on commit 269999a

Please sign in to comment.