Move the CSP to only apply to DAViCal htdocs

2026-05-28 03:04:15 +00:00 · 2023-10-23 17:57:42 +13:00 · 2023-10-23 17:57:42 +13:00 · 3d2e3d9f12
commit 3d2e3d9f12
parent aaa70a83f8
3 changed files with 16 additions and 10 deletions
--- a/config/apache-davical.conf
+++ b/config/apache-davical.conf
@ -21,6 +21,11 @@ Alias /davical /usr/share/davical/htdocs
  # Some people want this. YMMV.
  #php_admin_value open_basedir /usr/share/awl/inc/:/usr/share/davical/:/etc/davical/
  # All content for our UI should be served locally.
  <FilesMatch "(admin|help|iSchedule|index|metrics|public|setup|tools|upgrade).php">
    Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'"
  </FilesMatch>
 </Directory>
 <IfModule mod_rewrite.c>
@ -49,8 +54,3 @@ Alias /davical /usr/share/davical/htdocs
  # Everything else gets rewritten to /caldav.php/...
  #RewriteRule ^(.*)$ /davical/caldav.php$1  [NC,L]
 </IfModule>
 # All content for our UI should be served locally.
 <FilesMatch "(admin|help|iSchedule|index|metrics|public|setup|tools|upgrade).php">
  Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'"
 </FilesMatch>
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
 davical (1.1.13-1) UNRELEASED; urgency=medium
  * New upstream release (Closes: #1040996)
 -- Andrew Ruthven <andrew@etc.gen.nz>  Mon, 23 Oct 2023 17:57:01 +1300
 davical (1.1.12-1) unstable; urgency=medium
  [ Debian Janitor ]
--- a/testing/apache-site.conf.example
+++ b/testing/apache-site.conf.example
@ -11,6 +11,11 @@ Listen 127.0.1.1:80
    Require all granted
    DirectoryIndex index.php index.html
    php_value include_path /path/to/awl/inc:/path/to/davical/testing
    # All content for our UI should be served locally.
    <FilesMatch "(admin|help|iSchedule|index|metrics|public|setup|tools|upgrade).php">
      Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'"
    </FilesMatch>
  </Directory>
  RewriteEngine On
@ -25,9 +30,4 @@ Listen 127.0.1.1:80
  RewriteCond %{REQUEST_URI} !^/$
  RewriteCond %{REQUEST_URI} !\.(php|css|png|gif|js|jpg|ico)
  RewriteRule ^(.*)$ /caldav.php$1  [NC,L]
  # All content for our UI should be served locally.
  <FilesMatch "(admin|help|iSchedule|index|metrics|public|setup|tools|upgrade).php">
    Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'"
  </FilesMatch>
 </VirtualHost>