From 3d63630102dd1f752f76969f3f7fbecf6591bcfe Mon Sep 17 00:00:00 2001
From: Agate <me@agate.blue>
Date: Thu, 23 Apr 2020 10:45:33 +0200
Subject: [PATCH] Added CSP configuration

---
 README.md               | 1 +
 defaults/main.yml       | 1 +
 templates/nginx.conf.j2 | 7 ++++++-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 7195c17..3874c88 100644
--- a/README.md
+++ b/README.md
@@ -120,6 +120,7 @@ Role Variables
 | `funkwhale_api_ip`                      | `127.0.0.1`                   | IP address with which to bind the Funkwhale server |
 | `funkwhale_api_port`                    | `5000`                        | Port with which to bind the Funkwhale server |
 | `funkwhale_config_path`                 | `/srv/funkwhale/config`       | Path to Funkwhale's configuration directory |
+| `funkwhale_nginx_csp_policy`            | `"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"`       | Content-Security-Policy header to us. You will need to tweak this if you're serving media files from a separate domain. |
 | `funkwhale_database_managed`            | `true`                        | If `true`, the role will manage the database server and Funkwhale's database  |
 | `funkwhale_database_name`               | `funkwhale`                   | Name of the Funkwhale database to use |
 | `funkwhale_database_user`               | `funkwhale`                   | Postgresql username to login as |
diff --git a/defaults/main.yml b/defaults/main.yml
index 90f6639..74ea9c7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -38,6 +38,7 @@ funkwhale_letsencrypt_certbot_flags:
 funkwhale_letsencrypt_enabled: true
 funkwhale_letsencrypt_skip_cert: false
 
+funkwhale_nginx_csp_policy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"
 funkwhale_redis_managed: true
 funkwhale_api_ip: 127.0.0.1
 funkwhale_api_port: 5000
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
index 087aede..d7ff746 100644
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@@ -30,7 +30,12 @@ server {
     ssl_stapling on;
     ssl_stapling_verify on;
     add_header Strict-Transport-Security "max-age=63072000; preload";
-    {% endif %}
+    {% endif -%}
+
+    {% if funkwhale_nginx_csp_policy -%}
+    # Security-related headers
+    add_header Content-Security-Policy "{{ funkwhale_nginx_csp_policy }}";
+    {% endif -%}
 
     root {{ funkwhale_frontend_path }};
 
-- 
GitLab