From 08f311ae73744f019d405007d1cf25bbe7e5f729 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89milio=20Gonzalez?= <egg997@gmail.com>
Date: Mon, 27 Jan 2020 08:09:49 -0800
Subject: [PATCH 1/8] add a Content Security Policy to flaggr

---
 nginx/nginx.conf | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 3bcebb9..2cbd11d 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -63,6 +63,15 @@ http {
       # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
       add_header X-Xss-Protection "1; mode=block" always;
 
+      # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
+      # you can tell the browser that it can only download content from the domains you explicitly allow
+      # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
+      # https://www.owasp.org/index.php/Content_Security_Policy
+      # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
+      # directives for css and js(if you have inline css or js, you will need to keep it too).
+      # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
+      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://themes.googleusercontent.com; object-src 'none'";
+
       location /admin {
           alias /var/www/html/admin;
           index index.html;

From 94f733f360b2b9050231c00b3745aab27b82aee5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89milio=20Gonzalez?= <egg997@gmail.com>
Date: Mon, 27 Jan 2020 08:13:59 -0800
Subject: [PATCH 2/8] fix fonts and stylesheets for the CSP

---
 nginx/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 2cbd11d..a5e02c4 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -70,7 +70,7 @@ http {
       # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
       # directives for css and js(if you have inline css or js, you will need to keep it too).
       # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
-      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://themes.googleusercontent.com; object-src 'none'";
+      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.materialdesignicons.com; font-src 'self' https://fonts.gstatic.com/; object-src 'none'";
 
       location /admin {
           alias /var/www/html/admin;

From 5a869967c0af2016d8477b1aafd75421873c839c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89milio=20Gonzalez?= <egg997@gmail.com>
Date: Mon, 27 Jan 2020 08:16:00 -0800
Subject: [PATCH 3/8] try to remove unsafe-eval from csp

---
 nginx/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index a5e02c4..fcc3da4 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -70,7 +70,7 @@ http {
       # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
       # directives for css and js(if you have inline css or js, you will need to keep it too).
       # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
-      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.materialdesignicons.com; font-src 'self' https://fonts.gstatic.com/; object-src 'none'";
+      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' ; img-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.materialdesignicons.com; font-src 'self' https://fonts.gstatic.com/; object-src 'none'";
 
       location /admin {
           alias /var/www/html/admin;

From f0c78e8c0a57f2d8c21d7082cc33b491699ce3e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89milio=20Gonzalez?= <egg997@gmail.com>
Date: Mon, 27 Jan 2020 08:17:37 -0800
Subject: [PATCH 4/8] try to remove unsafe-inline from csp

---
 nginx/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index fcc3da4..208ae98 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -70,7 +70,7 @@ http {
       # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
       # directives for css and js(if you have inline css or js, you will need to keep it too).
       # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
-      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' ; img-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.materialdesignicons.com; font-src 'self' https://fonts.gstatic.com/; object-src 'none'";
+      add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.materialdesignicons.com; font-src 'self' https://fonts.gstatic.com/; object-src 'none'";
 
       location /admin {
           alias /var/www/html/admin;

From 01f7aa54a09eea6ad2e3718ca7dfc13f9a8c8f66 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89milio=20Gonzalez?= <egg997@gmail.com>
Date: Mon, 27 Jan 2020 08:20:05 -0800
Subject: [PATCH 5/8] revert last commit

---
 nginx/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 208ae98..fcc3da4 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -70,7 +70,7 @@ http {
       # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
       # directives for css and js(if you have inline css or js, you will need to keep it too).
       # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
-      add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.materialdesignicons.com; font-src 'self' https://fonts.gstatic.com/; object-src 'none'";
+      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' ; img-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.materialdesignicons.com; font-src 'self' https://fonts.gstatic.com/; object-src 'none'";
 
       location /admin {
           alias /var/www/html/admin;

From 05e53ce42b71a0360275b43531173868fae8c3b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89milio=20Gonzalez?= <egg997@gmail.com>
Date: Mon, 27 Jan 2020 08:35:05 -0800
Subject: [PATCH 6/8] fix case where csp would block 'data:' images

---
 nginx/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index fcc3da4..fb3747d 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -70,7 +70,7 @@ http {
       # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
       # directives for css and js(if you have inline css or js, you will need to keep it too).
       # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
-      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' ; img-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.materialdesignicons.com; font-src 'self' https://fonts.gstatic.com/; object-src 'none'";
+      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' ; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.materialdesignicons.com; font-src 'self' https://fonts.gstatic.com/; object-src 'none'";
 
       location /admin {
           alias /var/www/html/admin;

From 666550a835976f51e869d5c9897c2af82634ab7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89milio=20Gonzalez?= <egg997@gmail.com>
Date: Mon, 27 Jan 2020 08:36:27 -0800
Subject: [PATCH 7/8] fix case where csp would block admin fonts

---
 nginx/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index fb3747d..68fb63e 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -70,7 +70,7 @@ http {
       # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
       # directives for css and js(if you have inline css or js, you will need to keep it too).
       # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
-      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' ; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.materialdesignicons.com; font-src 'self' https://fonts.gstatic.com/; object-src 'none'";
+      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' ; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.materialdesignicons.com; font-src 'self' https://cdn.materialdesignicons.com https://fonts.gstatic.com/; object-src 'none'";
 
       location /admin {
           alias /var/www/html/admin;

From 54bbf111e575e6fdc3445d3a810873a1ea43d922 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89milio=20Gonzalez?= <egg997@gmail.com>
Date: Mon, 27 Jan 2020 11:54:21 -0500
Subject: [PATCH 8/8] Update nginx.conf

---
 nginx/nginx.conf | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 68fb63e..894def7 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -67,9 +67,6 @@ http {
       # you can tell the browser that it can only download content from the domains you explicitly allow
       # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
       # https://www.owasp.org/index.php/Content_Security_Policy
-      # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
-      # directives for css and js(if you have inline css or js, you will need to keep it too).
-      # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
       add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' ; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.materialdesignicons.com; font-src 'self' https://cdn.materialdesignicons.com https://fonts.gstatic.com/; object-src 'none'";
 
       location /admin {