review fix #26 and #18

Hye @JimboJoe, after more investigations, rules from nextCloud and tests :) L23```more_set_headers Content-Security-Policy "default-src data:;";``` is enough due to **/ynhpanel.css** where yunohost image tile and fonts are **data:base64**. There is no SP leaks in this case. I'll send rectification in this way.
9 years ago · ae908b4597
1 changed files with 2 additions and 2 deletions
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -20,7 +20,8 @@ location ^~ #LOCATION# {
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;
-  more_set_headers Content-Security-Policy "default-src 'self' 'unsafe-eval' data:;";
+  # Add data: to allow /ynhpanel.css to be load due to image on data:base64
+  more_set_headers Content-Security-Policy "default-src data:;";

  # Set max upload size
  client_max_body_size 10G;
@ -83,7 +84,6 @@ location ^~ #LOCATION# {
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
-    more_set_headers Content-Security-Policy "default-src 'self' 'unsafe-eval' data:;";
    # Optional: Don't log access to assets
    access_log off;
  }