| Description | Right now, /etc/nginx/conf.d/talercsp.conf is included in various site configurations (like talerssl.conf). However, the CSP should probably be specific to the various subdomains. I today had to extract the CSP from the SSL configuration file as the CSP as-is created big problems for the merchant backends of the demo (as the SPAs could not interact with the exchange based on the CSP).
We should probably create custom CSPs in each *.site file (possibly with the exception of the head/test/demo sites, here the *backends* should set any CSPs that are needed). Some sites already have their custom CSP, but it probably makes sense to use the current talercsp.conf as a starting point and to create a specific CSP for each site. This will, however, require some careful testing / understanding of what CSP the respective site needs. It *looks* pretty obvious which rules are needed for which site, but still after copying the CSP rules into a *.site file (instead of including) and then specializing them for the respective site, the site should be tested to ensure it still works. |
|---|
