From c0082ac433d05d4add918bca5346f42821de37d6 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Wed, 28 Jul 2021 17:37:54 +0200
Subject: [PATCH] Better handling of the security headers.

---
 defaults/main.yml           | 6 +++++-
 templates/nginx-virthost.j2 | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index bc499cb..c62f0c2 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -93,7 +93,11 @@ nginx_cors_allowed_headers: 'Accept,Authorization,Cache-Control,Content-Type,DNT
 nginx_set_xss_protection: False
 nginx_set_content_security_options: False
 # Choiches: 'self', 'none', a list of domains
-nginx_content_security_acl:
+nginx_content_security_src_acl:
+  - "'self'"
+#  - "'none'"
+#  - '{{ ansible_domain }}'
+nginx_content_security_ancestor_acl:
   - "'self'"
 #  - "'none'"
 #  - '{{ ansible_domain }}'
diff --git a/templates/nginx-virthost.j2 b/templates/nginx-virthost.j2
index e66cb54..d3e37dd 100644
--- a/templates/nginx-virthost.j2
+++ b/templates/nginx-virthost.j2
@@ -45,6 +45,7 @@ server {
     {% endif %}
 
     {% if nginx_set_xss_protection %}
+    proxy_hide_header X-XSS-Protection;
     add_header X-XSS-Protection "1; mode=block;";
     {% endif %}
     {% if nginx_set_frame_origin %}
@@ -52,7 +53,8 @@ server {
     add_header X-Frame-Options "{{ nginx_x_frame_options }}";
     {% endif %}
     {% if nginx_set_content_security_options %}
-    add_header Content-Security-Policy "frame-ancestors{% for l in nginx_content_security_acl %} {{ l }}{% endfor %};";
+    proxy_hide_header Content-Security-Policy;
+    add_header Content-Security-Policy "frame-src{% for s in nginx_content_security_src_acl %} {{ l }}{% endfor %}; frame-ancestors{% for l in nginx_content_security_ancestor_acl %} {{ l }}{% endfor %};";
     {% endif %}
     server_tokens {{ item.server_tokens | default('off') }};
 
@@ -260,6 +262,7 @@ server {
     include /etc/nginx/snippets/nginx-server-ssl.conf;
 
     {% if nginx_set_xss_protection %}
+    proxy_hide_header X-XSS-Protection;
     add_header X-XSS-Protection "1; mode=block;";
     {% endif %}
     {% if nginx_set_frame_origin %}
@@ -267,6 +270,7 @@ server {
     add_header X-Frame-Options "{{ nginx_x_frame_options }}";
     {% endif %}
     {% if nginx_set_content_security_options %}
+    proxy_hide_header Content-Security-Policy;
     add_header Content-Security-Policy "frame-ancestors{% for l in nginx_content_security_acl %} {{ l }}{% endfor %};";
     {% endif %}
     server_tokens {{ item.server_tokens | default('off') }};