Good morning all!
Due to pagure's new default content security policy src.fp.o users are
getting a csp-error since the ui is trying to fetch a js file from
apps.fp.o and the policy denies it.
We need a configuration change on src.fp.o to modify the csp policy on
src{.stg}.fp.o instances to allow clients to fetch js files from apps.fp.o
I opened an issue on the tracker[0], but since we are on freeze now here
goes the same patch for a FBR.
Regards,
[0]: https://pagure.io/fedora-infrastructure/issue/8121
--
Julen Landa Alustiza
From 2fb07c8164aa48330449b7b7ff917155d50210ea Mon Sep 17 00:00:00 2001
From: Julen Landa Alustiza <jlanda@xxxxxxxxxxxxxxxxx>
Date: Wed, 21 Aug 2019 16:59:26 +0200
Subject: [PATCH] dist-git: Custom csp policy that allows connecting to
apps.fp.o
---
roles/distgit/pagure/templates/pagure.cfg | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/roles/distgit/pagure/templates/pagure.cfg b/roles/distgit/pagure/templates/pagure.cfg
index f3dd2c466..0aa7c7764 100644
--- a/roles/distgit/pagure/templates/pagure.cfg
+++ b/roles/distgit/pagure/templates/pagure.cfg
@@ -296,4 +296,13 @@ PROJECT_NAME_REGEX = '^[a-zA-z0-9_][a-zA-Z0-9-_\.+]*$'
HTTP_REPO_ACCESS_GITOLITE = None
+CSP_HEADERS = (
+ "default-src 'self';"
+ "script-src 'self' '{nonce_script}' https://apps.fedoraproject.org; "
+ "style-src 'self' '{nonce_style}'; "
+ "object-src 'none';"
+ "base-uri 'self';"
+ "img-src 'self' https:;"
+)
+
{% include "pagure_shared.cfg" %}
--
2.21.0
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
