File tree 2 files changed +10
-3
lines changed
2 files changed +10
-3
lines changed Original file line number Diff line number Diff line change 2020 include :
2121 - name : " Server Config Tests"
2222 install :
23- - curl -sSL https://github.com/h5bp/server-configs-test/releases/download/1.0.6 /server-configs-test.tar.gz | tar -xz -C test/
23+ - curl -sSL https://github.com/h5bp/server-configs-test/releases/download/1.2.0 /server-configs-test.tar.gz | tar -xz -C test/
2424 - ./bin/build.sh test/fixtures/.htaccess test/build/htaccess_fixture.conf
2525 before_script :
2626 - docker pull httpd
Original file line number Diff line number Diff line change 5454# website itself to be loaded over HTTPS you must include the
5555# `Strict-Transport-Security` header.
5656#
57+ # (6) The `Content-Security-Policy` header is included in all responses
58+ # that are able to execute scripting. This includes the commonly used
59+ # file types: HTML, XML and PDF documents. Although Javascript files
60+ # can not execute script in a "browsing context", they are still included
61+ # to target workers:
62+ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#CSP_in_workers
63+ #
5764# To make your CSP implementation easier, you can use an online CSP header
5865# generator such as:
5966# https://report-uri.com/home/generate/
6875# https://www.w3.org/TR/CSP/
6976
7077<IfModule mod_headers.c>
71- # (1) (2) (3) (4) (5)
72- Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text/ html#i"
78+ # (1) (2) (3) (4) (5) (6)
79+ Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/( html|javascript)|application\/pdf|xml #i"
7380</IfModule>
You can’t perform that action at this time.
0 commit comments