nik/davical
1
0
Fork 0
mirror of https://gitlab.com/davical-project/davical.git synced 2026-05-27 02:54:27 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Move the CSP to only apply to DAViCal htdocs

Browse Source
This commit is contained in:
Andrew Ruthven 2023-10-23 17:57:42 +13:00
parent aaa70a83f8
commit 3d2e3d9f12
3 changed files with 16 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
config/apache-davical.conf
View File

@ -21,6 +21,11 @@ Alias /davical /usr/share/davical/htdocs
# Some people want this. YMMV.
#php_admin_value open_basedir /usr/share/awl/inc/:/usr/share/davical/:/etc/davical/
# All content for our UI should be served locally.
<FilesMatch "(admin|help|iSchedule|index|metrics|public|setup|tools|upgrade).php">
Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'"
</FilesMatch>
</Directory>
<IfModule mod_rewrite.c>
@ -49,8 +54,3 @@ Alias /davical /usr/share/davical/htdocs
# Everything else gets rewritten to /caldav.php/...
#RewriteRule ^(.*)$ /davical/caldav.php$1 [NC,L]
</IfModule>
# All content for our UI should be served locally.
<FilesMatch "(admin|help|iSchedule|index|metrics|public|setup|tools|upgrade).php">
Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'"
</FilesMatch>

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
davical (1.1.13-1) UNRELEASED; urgency=medium
* New upstream release (Closes: #1040996)
-- Andrew Ruthven <andrew@etc.gen.nz> Mon, 23 Oct 2023 17:57:01 +1300
davical (1.1.12-1) unstable; urgency=medium
[ Debian Janitor ]

10
testing/apache-site.conf.example
View File

@ -11,6 +11,11 @@ Listen 127.0.1.1:80
Require all granted
DirectoryIndex index.php index.html
php_value include_path /path/to/awl/inc:/path/to/davical/testing
# All content for our UI should be served locally.
<FilesMatch "(admin|help|iSchedule|index|metrics|public|setup|tools|upgrade).php">
Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'"
</FilesMatch>
</Directory>
RewriteEngine On
@ -25,9 +30,4 @@ Listen 127.0.1.1:80
RewriteCond %{REQUEST_URI} !^/$
RewriteCond %{REQUEST_URI} !\.(php|css|png|gif|js|jpg|ico)
RewriteRule ^(.*)$ /caldav.php$1 [NC,L]
# All content for our UI should be served locally.
<FilesMatch "(admin|help|iSchedule|index|metrics|public|setup|tools|upgrade).php">
Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'"
</FilesMatch>
</VirtualHost>