From ae8e8b2c9b1d6edc54106970b9828a860f956fc6 Mon Sep 17 00:00:00 2001
From: Illia Chub <illia.chub@selfprivacy.org>
Date: Tue, 21 Dec 2021 08:18:38 +0200
Subject: [PATCH] Temporarily disabled CSP headers as they tend to break some
 of our applications

---
 webserver/nginx.nix | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/webserver/nginx.nix b/webserver/nginx.nix
index 10f13bd..8b06e3a 100644
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@@ -28,7 +28,7 @@ in
           limit_conn perserver 1000;
           limit_req zone=mylimit burst=35 delay=25;
           add_header Strict-Transport-Security $hsts_header;
-          add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
           add_header 'Referrer-Policy' 'origin-when-cross-origin';
           add_header X-Frame-Options DENY;
           add_header X-Content-Type-Options nosniff;
@@ -46,7 +46,7 @@ in
           limit_conn perserver 1000;
           limit_req zone=mylimit burst=35 delay=25;
           add_header Strict-Transport-Security $hsts_header;
-          add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
           add_header 'Referrer-Policy' 'origin-when-cross-origin';
           add_header X-Frame-Options DENY;
           add_header X-Content-Type-Options nosniff;
@@ -64,7 +64,7 @@ in
           limit_conn perserver 1000;
           limit_req zone=mylimit burst=35 delay=25;
           add_header Strict-Transport-Security $hsts_header;
-          add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
           add_header 'Referrer-Policy' 'origin-when-cross-origin';
           add_header X-Frame-Options DENY;
           add_header X-Content-Type-Options nosniff;
@@ -87,7 +87,7 @@ in
           limit_conn perserver 1000;
           limit_req zone=mylimit burst=35 delay=25;
           add_header Strict-Transport-Security $hsts_header;
-          add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
           add_header 'Referrer-Policy' 'origin-when-cross-origin';
           add_header X-Frame-Options DENY;
           add_header X-Content-Type-Options nosniff;
@@ -112,7 +112,7 @@ in
           limit_conn perserver 1000;
           limit_req zone=mylimit burst=35 delay=25;
           add_header Strict-Transport-Security $hsts_header;
-          add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
           add_header 'Referrer-Policy' 'origin-when-cross-origin';
           add_header X-Frame-Options DENY;
           add_header X-Content-Type-Options nosniff;
@@ -156,7 +156,7 @@ in
           limit_conn perserver 1000;
           limit_req zone=mylimit burst=35 delay=25;
           add_header Strict-Transport-Security $hsts_header;
-          add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
           add_header 'Referrer-Policy' 'origin-when-cross-origin';
           add_header X-Frame-Options DENY;
           add_header X-Content-Type-Options nosniff;
@@ -179,7 +179,7 @@ in
           limit_conn perserver 1000;
           limit_req zone=mylimit burst=35 delay=25;
           add_header Strict-Transport-Security $hsts_header;
-          add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
           add_header 'Referrer-Policy' 'origin-when-cross-origin';
           add_header X-Frame-Options DENY;
           add_header X-Content-Type-Options nosniff;
@@ -203,7 +203,7 @@ in
           limit_conn perserver 1000;
           limit_req zone=mylimit burst=35 delay=25;
           add_header Strict-Transport-Security $hsts_header;
-          add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
           add_header 'Referrer-Policy' 'origin-when-cross-origin';
           add_header X-Frame-Options DENY;
           add_header X-Content-Type-Options nosniff;