From b59e90d100cc09e195b56ae185fcfa78c209a16f Mon Sep 17 00:00:00 2001 From: Tim Abbott Date: Mon, 6 Nov 2023 11:14:23 -0800 Subject: [PATCH] puppet: Fix buggy media-src Content-Security-Policy. The colon is invalid syntax. Verified the updated policy using an online CSP checker. --- .../files/nginx/zulip-include-frontend/uploads-internal.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf b/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf index 2ad1778386..69d54e2274 100644 --- a/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf +++ b/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf @@ -2,7 +2,7 @@ location ~ ^/internal/s3/(?[^/]+)/(?.*) { internal; include /etc/nginx/zulip-include/headers; - add_header Content-Security-Policy "default-src 'none'; media-src: 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;"; + add_header Content-Security-Policy "default-src 'none'; media-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;"; # The components of this path are originally double-URI-escaped # (see zerver/view/upload.py). "location" matches are on @@ -46,7 +46,7 @@ location ~ ^/internal/s3/(?[^/]+)/(?.*) { location /internal/local/uploads { internal; include /etc/nginx/zulip-include/headers; - add_header Content-Security-Policy "default-src 'none'; media-src: 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;"; + add_header Content-Security-Policy "default-src 'none'; media-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;"; # Django handles setting Content-Type, Content-Disposition, and Cache-Control.