From f6a403d77f9e66451cde50210deb9ce6a47f8be5 Mon Sep 17 00:00:00 2001
From: Ihor Aleksandrychiev <ihor.aleksandrychiev@northern.tech>
Date: Fri, 11 Oct 2024 12:12:46 +0300
Subject: [PATCH] Added Content-Security-Policy header to the Apache httpd
 config

Ticket: ENT-4400
Signed-off-by: Ihor Aleksandrychiev <ihor.aleksandrychiev@northern.tech>
(cherry picked from commit 5a8d1a9c896d7beadceeb63b5a3feeb201db6667)
---
 deps-packaging/apache/httpd.conf | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/deps-packaging/apache/httpd.conf b/deps-packaging/apache/httpd.conf
index 6a98248fa..73bbcddd6 100644
--- a/deps-packaging/apache/httpd.conf
+++ b/deps-packaging/apache/httpd.conf
@@ -199,6 +199,23 @@ LogLevel warn
     Header always set X-Frame-Options DENY
     Header always set X-Content-Type-Options nosniff
 
+    Header always set Content-Security-Policy \
+        "frame-ancestors 'self'; \
+        default-src 'self'; \
+        script-src 'self' 'unsafe-inline'; \
+        style-src 'self' 'unsafe-inline' fonts.googleapis.com; \
+        object-src 'none'; \
+        frame-src 'self'; \
+        child-src 'self'; \
+        img-src 'self' data: blob: avatars.githubusercontent.com badges.gitter.im fonts.gstatic.com kiwiirc.com raw.githubusercontent.com; \
+        font-src 'self' data: fonts.googleapis.com fonts.gstatic.com; \
+        connect-src 'self' fonts.gstatic.com fonts.googleapis.com; \
+        manifest-src 'self'; \
+        base-uri 'self'; \
+        form-action 'self'; \
+        media-src 'self'; \
+        worker-src 'self' blob:;"
+
     <FilesMatch "\.(cgi|shtml|phtml|php)$">
         SSLOptions +StdEnvVars
     </FilesMatch>