Skip to content

Commit

Permalink
Note required CSP script-src hashes
Browse files Browse the repository at this point in the history
  • Loading branch information
theory committed Aug 13, 2024
1 parent c87db4a commit d1ca833
Showing 1 changed file with 24 additions and 0 deletions.
24 changes: 24 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,30 @@ Here's how to run PGXN::Manager behind a reverse proxy server:
them. Also, be sure to disable `merge_slashes` or else the mirror management
interface will not work.

* If the proxy service includes a [content security
policy](https://content-security-policy.com) header (a.k.a. CSP), it will
need the following `script-src` to allow inline JavaScript in `<script>`
elements to function:

```
script-src 'sha256-C3v/abgU7GuNO8EfzYDFmryoploCskBljphPWnpJ0po=' 'sha256-QELwtyyu4lxId+yoW1ljK+y138CYTwHC227Tc8LvVgQ=' 'sha256-q0V4Ot8L8YlUzZm2BytfHTK0KQLzCyqZrdSpnyAci3E=' 'sha256-RXOpCJp6UcKxmxWS3RRnMIv2fHaWnBuOwWmfvAHGnHo=' 'sha256-n9f9UVAruXN1NnhRiCfpqgcPxLngJaTutVulqcDjmr8=' 'sha256-yqqMPK8onoDpDcwg2+lqdbbOlOg8LH8MuO7NHEgua2c='
```
These values were created by the following shell script:
``` sh
printf 'script-src '
for js in "PGXN.validate_form('#reqform')" \
"PGXN.validate_form('#accform')" \
"PGXN.validate_form('#passform')" \
"PGXN.validate_form('#mirrorform')" \
"PGXN.init_moderate()" \
"PGXN.init_mirrors()"; do
printf "'sha256-%s' " "$(echo -n "$js" | openssl sha256 -binary | openssl base64)"
done
printf "\n"
```
* Install
[Plack::Middleware::ReverseProxy](https://metacpan.org/pod/Plack::Middleware::ReverseProxy)
from CPAN:
Expand Down

0 comments on commit d1ca833

Please sign in to comment.