spk-spar-checker add Content-Security-Policy + filesmatch

diff --git a/customer/spk-spar-checker/production.yaml b/customer/spk-spar-checker/production.yaml
index 3c7736bd0208d540495ca0a25d7dc6cc7839de6e..93ccc0a9ee29f0f5f1833ae37d1c2af194d503e9 100644 (file)
--- a/customer/spk-spar-checker/production.yaml
+++ b/customer/spk-spar-checker/production.yaml
@@ -41,7 +41,8 @@ infra::profile::apache::pp_vhosts:
       - 'always set X-Frame-Options "SAMEORIGIN"'
       - 'always set X-Content-Type-Options "nosniff"'
       - 'always set Strict-Transport-Security: "max-age=15768001"'
-#      - "set Content-Security-Policy \"default-src 'self' 'unsafe-eval' 'unsafe-inline' ; style-src 'self' https://webfonts.sparkasse.de 'unsafe-inline' ; font-src 'self' data: https://webfonts.sparkasse.de ; img-src 'self' data: ;\""
+      - "set Content-Security-Policy \"default-src 'none'; connect-src 'self'; script-src 'self' data: www.google-analytics.com 'sha256-aed8ae7e95bc21fd56a9074f9eedd4db237cf41ebb8ea603d8bf6764f0d23f4c'; style-src 'self' data: https://webfonts.sparkasse.de 'unsafe-inline'; img-src 'self' data: img.vxcdn.com www.google-analytics.com www.verivox.de; font-src 'self' data: https://webfonts.sparkasse.de; child-src 'self'; object-src 'self'; form-action 'self'; report-uri /api/v1/report;\""
+
     aliases:
       - { alias: /api , path: /var/www/spar-checker/sparchecker-backend/public/api }
       - { alias: /sfp , path: /var/www/spar-checker/sparchecker-backend/public/sfp }
@@ -102,6 +103,10 @@ infra::profile::apache::pp_vhosts:
         allow_override:
           - None
         directoryindex: 'index.php index.html'
+      - provider: filesmatch
+        path: '\.(ttf|otf|eot|woff)$'
+        headers:
+          - 'always set Access-Control-Allow-Origin "*"'
         rewrites:
           - comment: 'sfp files'
             rewrite_cond: