From c73010b3823caf8f637e06da5d1002e05cc62996 Mon Sep 17 00:00:00 2001
From: Kasper Seweryn <github@wvffle.net>
Date: Thu, 15 Sep 2022 08:57:04 +0000
Subject: [PATCH] Fix CSP headers for remote instance

---
 changes/changelog.d/1977.bugfix | 1 +
 docker/nginx/conf.dev           | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)
 create mode 100644 changes/changelog.d/1977.bugfix

diff --git a/changes/changelog.d/1977.bugfix b/changes/changelog.d/1977.bugfix
new file mode 100644
index 000000000..e05e03648
--- /dev/null
+++ b/changes/changelog.d/1977.bugfix
@@ -0,0 +1 @@
+Fix CSP header issues
diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev
index 2ca0a9d53..7be13a7b8 100644
--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@@ -69,12 +69,12 @@ http {
             text/x-component
             text/x-cross-domain-policy;
 
-        add_header Content-Security-Policy "connect-src https: wss: 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Content-Security-Policy "connect-src https: wss: http: ws: 'self' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
         add_header X-Frame-Options "SAMEORIGIN" always;
 
         location /front/ {
-            add_header Content-Security-Policy "connect-src https: wss: 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+            add_header Content-Security-Policy "connect-src https: wss: http: ws: 'self' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
             add_header Referrer-Policy "strict-origin-when-cross-origin";
             add_header Service-Worker-Allowed "/";
             # uncomment the following line and comment the proxy-pass one
@@ -83,7 +83,7 @@ http {
             proxy_pass   http://funkwhale-front/front/;
         }
         location /front/embed.html {
-            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
             add_header Referrer-Policy "strict-origin-when-cross-origin";
             add_header X-Frame-Options "" always;
             proxy_pass   http://funkwhale-front/front/embed.html;