nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-04-22 10:01:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
FreedomBox/data/etc/apache2/conf-available/freedombox.conf
Sunil Mohan Adapa 8ab551f285
apache: Relax CSP to allow web workers for JSXC 
Closes: #1893.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
2020-06-29 23:31:03 +03:00

70 lines
2.8 KiB
Plaintext
Raw Blame History

##
## Enable HSTS, even for subdomains.
##
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
##
## Redirect traffic on home to /plinth as part of turning the machine
## into FreedomBox server. Plinth then acts as a portal to reach all
## other services.
##
RedirectMatch "^/$" "/plinth"
RedirectMatch "^/freedombox" "/plinth"
##
## Disable sending Referer (sic) header from FreedomBox web interface to
## external websites. This improves privacy by not disclosing FreedomBox
## domains/URLs to external domains. Apps such as blogs which want to popularize
## themselves with referrer header may still do so.
##
## A strict Content Security Policy.
## - @fonts are allowed only from FreedomBox itself.
## - <frame>/<iframe> sources are disabled.
## - <img> sources are allowed only from FreedomBox itself.
## - Manifest file is not allowed as there is none yet.
## - <audio>, <video>, <track> tags are not allowed yet.
## - <object>, <embed>, <applet> tags are not allowed yet.
## - Allow JS from FreedomBox itself (no inline and attribute scripts).
## - Allow inline CSS and CSS files from Freedombox itself.
## - Web worker sources are allowed only from FreedomBox itself (for JSXC).
## - All other fetch sources including Ajax are not allowed from FreedomBox
## itself.
## - <base> tag is not allowed.
## - No plugins types are alllowed since object-src is 'none'.
## - Form action should be to FreedomBox itself.
## - This interface may be not embedded in <frame>, <iframe>, etc. tags.
## - When serving HTTPS, don't allow HTTP assets.
##
## Enable strict sandboxing enabled with some exceptions:
## - Allow running Javascript.
## - Allow popups as sometimes we use <a target=_blank>
## - Allow forms to support configuration forms.
## -
##
## Disable browser guessing of MIME types. FreedoBox already sets good content
## types for all the common file types.
##
<Location /plinth>
Header set Referrer-Policy 'same-origin'
Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-forms allow-same-origin; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
Header set X-Content-Type-Options 'nosniff'
</Location>
##
## Serve FreedomBox icon as /favicon.ico for apps that don't present their own
## icon using <link rel=''>.
##
<Location ~ ^/favicon\.ico$>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule /favicon\.ico$ "/plinth/static/theme/img/favicon.ico" [PT]
</IfModule>
</Location>
##
## Serve SVG files compressed using gzip.
##
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>
Reference in New Issue View Git Blame Copy Permalink