nginx: add Content-Security-Policy-Report-Only header to all content …

…sites

Fixes jquerygh-54

modules/profile/templates/contentorigin/site.nginx.erb

@@ -19,6 +19,9 @@ server {
     expires 30d;
 
     add_header Access-Control-Allow-Origin "*";
+
+    # Add Content Security Policy headers
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
   }
 
   location /.well-known/acme-challenge {

modules/profile/templates/gruntjscom/site.nginx.erb

@@ -16,6 +16,9 @@ server {
     proxy_pass http://localhost:<%= @backend_port %>;
     proxy_redirect off;
     proxy_buffering off;
+
+    # Add Content Security Policy headers
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
   }
 
   location /.well-known/acme-challenge {

modules/profile/templates/miscweb/site.nginx.erb

@@ -51,6 +51,12 @@ server {
     include              /etc/nginx/fastcgi_params;
   }
 <%- end -%>
+
+  location / {
+
+    # Add Content Security Policy headers
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
+  }
 }
 
 # vim: ts=2 sw=2 et

modules/profile/templates/wordpress/base/default-tls.nginx.erb

@@ -20,5 +20,8 @@ server {
 
   location / {
     deny all;
+
+    # Add Content Security Policy headers
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
   }
 }