[fix] Include allowed_hostnames in nginx Content-Security-Policy #366

Fixes #366

README.md

@@ -1032,12 +1032,9 @@ Below are listed all the variables you can customize (you may also want to take
     # nginx error log configuration
     openwisp2_nginx_access_log: "{{ openwisp2_path }}/log/nginx.access.log"
     openwisp2_nginx_error_log: "{{ openwisp2_path }}/log/nginx.error.log error"
-    # nginx Content Security Policy header
+    # nginx Content Security Policy header, customize if needed
     openwisp2_nginx_csp: >
-      "default-src http: https: data: blob: 'unsafe-inline';
-      script-src 'unsafe-eval' https: 'unsafe-inline' 'self';
-      frame-ancestors 'self'; connect-src https://{{ inventory_hostname }} wss: 'self';
-      worker-src https://{{ inventory_hostname }} blob: 'self';" always;
+      CUSTOM_NGINX_SECURITY_POLICY
     # uwsgi gid, omitted by default
     openwisp2_uwsgi_gid: null
     # number of uWSGI process to spawn. Default value is 1.

defaults/main.yml

@@ -62,8 +62,8 @@ openwisp2_nginx_client_max_body_size: 20M
 openwisp2_nginx_csp: >
     "default-src http: https: data: blob: 'unsafe-inline';
     script-src 'unsafe-eval' https: 'unsafe-inline' 'self';
-    frame-ancestors 'self'; connect-src https://{{ inventory_hostname }} wss: 'self';
-    worker-src https://{{ inventory_hostname }} blob: 'self';" always;
+    frame-ancestors 'self'; connect-src https://{{ inventory_hostname }}{% for host in openwisp2_allowed_hosts %} https://{{ host }}{% endfor %} wss: 'self';
+    worker-src https://{{ inventory_hostname }}{% for host in openwisp2_allowed_hosts %} https://{{ host }}{% endfor %} blob: 'self';" always;
 openwisp2_uwsgi_gid: null
 openwisp2_admin_allowed_network: null
 openwisp2_install_ntp: true

tasks/nginx.yml

@@ -63,6 +63,7 @@
     dest: "{{ openwisp2_path }}/nginx-conf/openwisp2/security.conf"
     mode: 0644
   notify: Restart nginx
+  tags: [nginx_security]
 
 - name: Nginx site available
   template: