Add pdf-as servers and www.handy-signatur.at to Content-Security-Policy (#4)

0d10e3d5 · Bekerle, Patrizio · e834ec3f · 0d10e3d5 · 0d10e3d5
Unverified Commit 0d10e3d5 authored 5 years ago by Bekerle, Patrizio
--- a/assets/.htaccess.ejs
+++ b/assets/.htaccess.ejs
@@ -4,7 +4,7 @@ DirectoryIndex <%= geturl('vpu-signature.html') %>
 </FilesMatch>

 Header set Cache-Control "must-revalidate, max-age=60"
-Header set Content-Security-Policy "default-src 'self' 'unsafe-eval' 'unsafe-inline' analytics.tugraz.at <%= keyCloakServer %> <%= entryPointURL %> httpbin.org; img-src *"
+Header set Content-Security-Policy "default-src 'self' 'unsafe-eval' 'unsafe-inline' analytics.tugraz.at <%= keyCloakServer %> <%= entryPointURL %> httpbin.org www.handy-signatur.at <%= pdfAsQualifiedlySigningServer %>; img-src *"

 # Apache adds a "-gzip" suffix to the etag when it uses gzip but doesn't
 # take that into account when receiving requests.

--- a/rollup.config.js
+++ b/rollup.config.js
@@ -33,6 +33,7 @@ let basePath = '';
 let entryPointURL = '';
 let keyCloakServer = '';
 let keyCloakBaseURL = '';
+let pdfAsQualifiedlySigningServer = 'sig-dev.tugraz.at';
 let matomoSiteId = 131;
 let useTerser = true;
 let useBabel = true;
@@ -62,6 +63,7 @@ switch (build) {
    entryPointURL = 'https://signature.tugraz.at';
    keyCloakServer = 'auth.tugraz.at';
    keyCloakBaseURL = 'https://' + keyCloakServer + '/auth';
+    pdfAsQualifiedlySigningServer = 'sig.tugraz.at';
    matomoSiteId = 130;
    break;
  case 'test':
@@ -191,6 +193,7 @@ export default {
            entryPointURL: entryPointURL,
            keyCloakServer: keyCloakServer,
            keyCloakBaseURL: keyCloakBaseURL,
+            pdfAsQualifiedlySigningServer: pdfAsQualifiedlySigningServer,
            environment: build,
            matomoSiteId: matomoSiteId,
            buildinfo: getBuildInfo()
@@ -264,7 +267,7 @@ export default {
          historyApiFallback: basePath + pkg.name + '.html',
          https: USE_HTTPS ? generateTLSConfig() : false,
          headers: {
-              'Content-Security-Policy': `default-src 'self' 'unsafe-eval' 'unsafe-inline' analytics.tugraz.at ${keyCloakServer} ${entryPointURL} httpbin.org; img-src *`
+              'Content-Security-Policy': `default-src 'self' 'unsafe-eval' 'unsafe-inline' analytics.tugraz.at ${keyCloakServer} ${entryPointURL} httpbin.org www.handy-signatur.at ${pdfAsQualifiedlySigningServer} ; img-src *`
          },
        }) : false
    ]