From 269999aa4998048a566fcb5a7f46529d2df0c255 Mon Sep 17 00:00:00 2001
From: Keenan Brock <keenan@thebrocks.net>
Date: Thu, 25 Apr 2024 10:07:28 -0400
Subject: [PATCH] Update apache header content-security-policy

updates:
- object-src https://github.com/ManageIQ/manageiq/pull/23001
- font-src img-src, style-src https://github.com/ManageIQ/manageiq/pull/21822
- connect-src https://github.com/ManageIQ/manageiq-ui-classic/pull/8227
- style-src, script-src: https://github.com/ManageIQ/manageiq/pull/4647
---
 COPY/etc/httpd/conf.d/manageiq-https-application.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/COPY/etc/httpd/conf.d/manageiq-https-application.conf b/COPY/etc/httpd/conf.d/manageiq-https-application.conf
index 704d0f5..d42c1b6 100644
--- a/COPY/etc/httpd/conf.d/manageiq-https-application.conf
+++ b/COPY/etc/httpd/conf.d/manageiq-https-application.conf
@@ -24,7 +24,7 @@ SSLCertificateKeyFile /var/www/miq/vmdb/certs/server.cer.key
 
 <Location /assets/>
   Header unset ETag
-  Header set Content-Security-Policy            "default-src 'self'; child-src 'self'; connect-src 'self'; font-src 'self' fonts.gstatic.com; script-src 'self'; style-src 'self'; report-uri /dashboard/csp_report"
+  Header set Content-Security-Policy            "default-src 'self'; child-src 'self'; connect-src 'self' fonts.gstatic.com; font-src 'self' fonts.gstatic.com fonts.googleapis.com; img-src 'self' data:; object-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self' fonts.googleapis.com fonts.gstatic.com; report-uri /dashboard/csp_report"
   Header set X-Content-Type-Options             "nosniff"
   Header set X-Frame-Options                    "SAMEORIGIN"
   Header set X-Permitted-Cross-Domain-Policies  "none"
@@ -37,7 +37,7 @@ SSLCertificateKeyFile /var/www/miq/vmdb/certs/server.cer.key
 
 <Location /packs/>
   Header unset ETag
-  Header set Content-Security-Policy            "default-src 'self'; child-src 'self'; connect-src 'self'; font-src 'self' fonts.gstatic.com; script-src 'self'; style-src 'self'; report-uri /dashboard/csp_report"
+  Header set Content-Security-Policy            "default-src 'self'; child-src 'self'; connect-src 'self' fonts.gstatic.com; font-src 'self' fonts.gstatic.com fonts.googleapis.com; img-src 'self' data:; object-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self' fonts.googleapis.com fonts.gstatic.com; report-uri /dashboard/csp_report"
   Header set X-Content-Type-Options             "nosniff"
   Header set X-Frame-Options                    "SAMEORIGIN"
   Header set X-Permitted-Cross-Domain-Policies  "none"