bert.hausmans
b5fcb7c14a
Vuexy loads fonts via webfontloader from fonts.googleapis.com and fonts.gstatic.com. The previous CSP blocked these, causing a white screen. - style-src: added https://fonts.googleapis.com - font-src: added https://fonts.gstatic.com - Removed frame-ancestors from meta tags (ignored in meta, console warnings) Updated in all three index.html dev meta tags and both Nginx SPA/portal configs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
16 lines
1.2 KiB
Plaintext
16 lines
1.2 KiB
Plaintext
# CSP for app.crewli.app and admin.crewli.app
|
|
# Vite bundles all JS/CSS into same-origin files.
|
|
# 'unsafe-inline' for style-src is required by Vuetify (inline styles for theming).
|
|
# img-src https: allows organisation logos loaded from external URLs.
|
|
# connect-src must include the API domain for XHR/fetch calls.
|
|
#
|
|
# IMPORTANT: Start with Content-Security-Policy-Report-Only to catch
|
|
# false positives. Switch to Content-Security-Policy after 1-2 weeks
|
|
# of clean logs.
|
|
|
|
# Report-only mode (start with this):
|
|
# add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;
|
|
|
|
# Enforce mode (switch to this after testing):
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;
|