From 1cb54370e8a685c90f11b268f62599b7456c0dd7 Mon Sep 17 00:00:00 2001
From: Robert Linder <26493779+Malvoz@users.noreply.github.com>
Date: Mon, 18 Mar 2019 13:50:01 +0100
Subject: [PATCH] Update content-security-policy.conf

---
 src/security/content-security-policy.conf | 30 +++++++++++------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/src/security/content-security-policy.conf b/src/security/content-security-policy.conf
index b5e62c2f..595bf334 100644
--- a/src/security/content-security-policy.conf
+++ b/src/security/content-security-policy.conf
@@ -14,14 +14,7 @@
 #
 # The example policy below ensures that:
 #
-#  (1) The `<base>` element is not allowed on the website. This is to
-#      prevent attackers from changing the locations of resources loaded
-#      from relative URLs.
-#
-#      If you want to use the `<base>` element, then `base-uri 'self'`
-#      can be used instead.
-#
-#  (2) All resources are restricted to the origin of the current website
+#  (1) All resources are restricted to the origin of the current website
 #      by setting the `default-src` directive to `'self'` - which acts as a
 #      fallback to all "Fetch directives" (https://developer.mozilla.org/en-US/docs/Glossary/Fetch_directive).
 #
@@ -32,14 +25,19 @@
 #      This restriction also means that you must explicitly define from
 #      which site(s) your website is allowed to load resources from.
 #
-#  (3) Scripts are only allowed to be loaded from the current website
-#      and an example CDN website.
+#  (2) The `<base>` element is not allowed on the website. This is to
+#      prevent attackers from changing the locations of resources loaded
+#      from relative URLs.
+#
+#      If you want to use the `<base>` element, then `base-uri 'self'`
+#      can be used instead.
 #
-#  (4) Form submissions are only allowed from the current website by
+#  (3) Form submissions are only allowed from the current website by
 #      setting: `form-action 'self'`.
 #
-#  (5) Prevents other websites from embedding your website with e.g. the
-#      `<iframe>` or `<object>` element, by setting `frame-ancestors 'self'`.
+#  (4) Prevents all websites (including your own) from embedding your
+#      webpages within e.g. the `<iframe>` or `<object>` element by
+#      setting `frame-ancestors 'none'`.
 #
 #	   The `frame-ancestors` directive helps avoid "Clickjacking" attacks
 #      and is similar to the `X-Frame-Options` header.
@@ -47,7 +45,7 @@
 #      Browsers that support the CSP header will ignore `X-Frame-Options`
 #      if `frame-ancestors` is also specified.
 #
-#  (6) Forces the browser to treat all the resources that are served over
+#  (5) Forces the browser to treat all the resources that are served over
 #      HTTP as if they were loaded securely over HTTPS by setting the
 #      `upgrade-insecure-requests` directive.
 #
@@ -70,6 +68,6 @@
 # https://www.w3.org/TR/CSP/
 
 <IfModule mod_headers.c>
-    #                                   (1)              (2)                 (3)                                        (4)                 (5)                     (6)
-    Header set Content-Security-Policy "base-uri 'none'; default-src 'self'; script-src 'self' https://cdn.example.com; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+    #                                   (1)                 (2)              (3)                 (4)                    (5)
+    Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
 </IfModule>