nginx: use Reporting-Endpoints header to set report-to (#61)

- also set report-uri until Firefox supports report-to
jquery · Sep 10, 2024 · 1f32292 · 1f32292
1 parent 9840ee8
commit 1f32292
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/modules/profile/templates/contentorigin/site.nginx.erb b/modules/profile/templates/contentorigin/site.nginx.erb
@@ -14,7 +14,8 @@ server {
   server_tokens off;
 
   # Add Content Security Policy headers
-  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
+  add_header Reporting-Endpoints "csp-endpoint=\"https://csp-report-api.openjs-foundation.workers.dev/\""
+  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
 
   location / {
     root /srv/www/content.jquery.com;

diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb
@@ -18,7 +18,8 @@ server {
     proxy_buffering off;
 
     # Add Content Security Policy headers
-    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/" always;
+    add_header Reporting-Endpoints "csp-endpoint=\"https://csp-report-api.openjs-foundation.workers.dev/\""
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint;" always;
   }
 
   location /.well-known/acme-challenge {

diff --git a/modules/profile/templates/miscweb/site.nginx.erb b/modules/profile/templates/miscweb/site.nginx.erb
@@ -19,7 +19,8 @@ server {
   root /srv/www/<%= @fqdn %><%= @site['webroot'] or '' %>;
 
   # Add Content Security Policy headers
-  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
+  add_header Reporting-Endpoints "csp-endpoint=\"https://csp-report-api.openjs-foundation.workers.dev/\""
+  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
 
 <%- if @site['allow_php'] -%>
   index index.php index.html;