From: Peter Palfrader <peter@palfrader.org>
Date: Wed, 8 Mar 2017 18:00:44 +0000 (+0100)
Subject: firefox considers style in .svg things "unsafe-inline" settings, so we need a differe... 
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=795bd0eac78611994873b7b7422f7a63aa378719;p=mirror%2Fdsa-puppet.git

firefox considers style in .svg things "unsafe-inline" settings, so we need a different CSP for svg files
---

diff --git a/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb b/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb
index 3cc240028..d15ceb0f9 100644
--- a/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb
+++ b/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb
@@ -149,6 +149,9 @@
 	RewriteRule ^/source/([a-z0-9-]+)/([a-zA-Z0-9.+:~-]+)$ /${source-map:$1/$2} [L,R,NE]
 
 	Header always set Content-Security-Policy "default-src 'self'; media-src 'none'; object-src 'none';"
+	<FilesMatch "\.(svg)$">
+		Header always set Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline';"
+	</FilesMatch>
 </Macro>
 
 <%=