WebSVN – configs – Diff – /homeserver/etc/httpd/conf.d/ssl.conf



# Prevent browsers from incorrectly detecting non-scripts as scripts
Header always set X-Content-Type-Options nosniff
# Cors
Header always set Access-Control-Allow-Origin "*"
# CSP calculated by FF Addon Laboratory
###Header always set Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com; frame-src data:; img-src 'self' data: https://counters.auctiva.com https://i.ebayimg.com https://i.thenile.io https://img.comc.com https://ir.ebaystatic.com https://scimg.auctiva.com https://storage.googleapis.com https://*.ebaystatic.com https://ti2.auctiva.com https://www.thenile.com.au https://cdn.shopify.com; script-src 'self' 'unsafe-inline' https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js https://cdn.jsdelivr.net/npm/lodash@4.17.11/lodash.min.js https://cdnjs.cloudflare.com/ajax/libs/Chart.js/2.7.3/Chart.min.js https://cdnjs.cloudflare.com/ajax/libs/bootstrap-select/1.13.2/js/bootstrap-select.js https://cdnjs.cloudflare.com/ajax/libs/moment-timezone/0.5.23/moment-timezone-with-data-2012-2022.min.js https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.23.0/moment.min.js https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js https://maps.googleapis.com/maps-api-v3/api/js/ https://maps.googleapis.com/maps/api/js https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/bootstrap-select/1.13.2/css/ https://fonts.googleapis.com/ https://img.comc.com/Content/eBay/ https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/css/ https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/ https://scrollinggallery.auctiva.com/gallery/css/2(0)/AUCTIVA/1362185/0/25/ https://storage.googleapis.com/ebay-assets/grandeagle/css/ https://www.w3schools.com/w3css/4/;frame-ancestors 'self'"
# Disable referrers for browsers that don't support strict-origin-when-cross-origin; Uses strict-origin-when-cross-origin for browsers that do
Header always set Referrer-Policy "no-referrer"
# Only allow my site to frame itself
#add above# Header always add Content-Security-Policy "frame-ancestors 'self'"
Header always set X-Frame-Options SAMEORIGIN

# Prevent browsers from incorrectly detecting non-scripts as scripts
Header always set X-Content-Type-Options nosniff
# Cors
Header always set Access-Control-Allow-Origin "*"
# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https
Header always set Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self' data: https://fonts.gstatic.com https://use.fontawesome.com; form-action 'self'; frame-src https://www.google.com https://www.youtube-nocookie.com; img-src 'self' data: http://abs.twimg.com https://abs.twimg.com https://*.walmartimages.com https://images.samash.com https://img.discogs.com https://*.googleusercontent.com https://*.ebaystatic.com https://www.fye.com https://www.musicnotes.com https://www.secondspin.com https://platform-lookaside.fbsbx.com https://ad.linksynergy.com https://www.lduhtrp.net https://*.wal.co https://cj.dotomi.com https://www.awltovhc.com https://www.ftjcfx.com https://www.tqlkg.com https://www.emjcd.com https://www.yceml.net https://beacon.affil.walmart.com https://assets.sheetmusicplus.com https://www0.alibris-static.com https://*.mzstatic.com https://via.placeholder.com https://images-na.ssl-images-amazon.com/images/ https://transform.dis.commercecloud.salesforce.com https://www.google-analytics.com https://m.media-amazon.com/images/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com/ajax/libs/jquery/ https://cdnjs.cloudflare.com/ajax/libs/popper.js/ https://maxcdn.bootstrapcdn.com/bootstrap/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.gstatic.com https://www.googletagmanager.com/gtag/js https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://maxcdn.bootstrapcdn.com/bootstrap/ https://use.fontawesome.com/releases/;frame-ancestors 'self'"
# Disable referrers for browsers that don't support strict-origin-when-cross-origin; Uses strict-origin-when-cross-origin for browsers that do
Header always set Referrer-Policy "no-referrer"
# Only allow my site to frame itself
#add above# Header always add Content-Security-Policy "frame-ancestors 'self'"
Header always set X-Frame-Options SAMEORIGIN

# Prevent browsers from incorrectly detecting non-scripts as scripts
Header always set X-Content-Type-Options nosniff
# Cors
Header always set Access-Control-Allow-Origin "*"
# CSP calculated by FF Addon Laboratory
#Header always set Content-Security-Policy "default-src 'none'; frame-src https://ws-na.amazon-adsystem.com https://www.youtube-nocookie.com; img-src 'self' data: https://www.google-analytics.com; script-src 'self' 'unsafe-inline' https://ajax.googleapis.com/ajax/libs/jquery/3.4.0/jquery.min.js https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtag/js; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/css/;frame-ancestors 'self'"
# Disable referrers for browsers that don't support strict-origin-when-cross-origin; Uses strict-origin-when-cross-origin for browsers that do
Header always set Referrer-Policy "no-referrer"
# Only allow my site to frame itself
#add above# Header always add Content-Security-Policy "frame-ancestors 'self'"
Header always set X-Frame-Options SAMEORIGIN

Subversion Repositories configs

(root)/homeserver/etc/httpd/conf.d/ssl.conf – Rev 182 → 184

Rev 182		Rev 184
Line 86...		Line 86...
86	`# Prevent browsers from incorrectly detecting non-scripts as scripts`	86	`# Prevent browsers from incorrectly detecting non-scripts as scripts`
87	`Header always set X-Content-Type-Options nosniff`	87	`Header always set X-Content-Type-Options nosniff`
88	`# Cors`	88	`# Cors`
89	`Header always set Access-Control-Allow-Origin "*"`	89	`Header always set Access-Control-Allow-Origin "*"`
90	`# CSP calculated by FF Addon Laboratory`	90	`# CSP calculated by FF Addon Laboratory`
91	###Header always set Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com; frame-src data:; img-src 'self' data: https://counters.auctiva.com https://i.ebayimg.com https://i.thenile.io https://img.comc.com https://ir.ebaystatic.com https://scimg.auctiva.com https://storage.googleapis.com https://*.ebaystatic.com https://ti2.auctiva.com https://www.thenile.com.au https://cdn.shopify.com; script-src 'self' 'unsafe-inline' https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js https://cdn.jsdelivr.net/npm/lodash@4.17.11/lodash.min.js https://cdnjs.cloudflare.com/ajax/libs/Chart.js/2.7.3/Chart.min.js https://cdnjs.cloudflare.com/ajax/libs/bootstrap-select/1.13.2/js/bootstrap-select.js https://cdnjs.cloudflare.com/ajax/libs/moment-timezone/0.5.23/moment-timezone-with-data-2012-2022.min.js https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.23.0/moment.min.js https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js https://maps.googleapis.com/maps-api-v3/api/js/ https://maps.googleapis.com/maps/api/js https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/bootstrap-select/1.13.2/css/ https://fonts.googleapis.com/ https://img.comc.com/Content/eBay/ https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/css/ https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/ https://scrollinggallery.auctiva.com/gallery/css/2(0)/AUCTIVA/1362185/0/25/ https://storage.googleapis.com/ebay-assets/grandeagle/css/ https://www.w3schools.com/w3css/4/;frame-ancestors 'self'"	91	###Header always set Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com; frame-src data:; img-src 'self' data: https://counters.auctiva.com https://i.ebayimg.com https://i.thenile.io https://img.comc.com https://ir.ebaystatic.com https://scimg.auctiva.com https://storage.googleapis.com https://*.ebaystatic.com https://ti2.auctiva.com https://www.thenile.com.au https://cdn.shopify.com; script-src 'self' 'unsafe-inline' https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js https://cdn.jsdelivr.net/npm/lodash@4.17.11/lodash.min.js https://cdnjs.cloudflare.com/ajax/libs/Chart.js/2.7.3/Chart.min.js https://cdnjs.cloudflare.com/ajax/libs/bootstrap-select/1.13.2/js/bootstrap-select.js https://cdnjs.cloudflare.com/ajax/libs/moment-timezone/0.5.23/moment-timezone-with-data-2012-2022.min.js https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.23.0/moment.min.js https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js https://maps.googleapis.com/maps-api-v3/api/js/ https://maps.googleapis.com/maps/api/js https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/bootstrap-select/1.13.2/css/ https://fonts.googleapis.com/ https://img.comc.com/Content/eBay/ https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/css/ https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/ https://scrollinggallery.auctiva.com/gallery/css/2(0)/AUCTIVA/1362185/0/25/ https://storage.googleapis.com/ebay-assets/grandeagle/css/ https://www.w3schools.com/w3css/4/;frame-ancestors 'self'"
92	`# Disable referrers for browsers that don't support strict-origin-when-cross-origin; Uses strict-origin-when-cross-origin for browsers that do`	92	`# Disable referrers for browsers that don't support strict-origin-when-cross-origin; Uses strict-origin-when-cross-origin for browsers that do`
93	`Header always set Referrer-Policy "no-referrer"`	93	`Header always set Referrer-Policy "no-referrer"`
94	`# Only allow my site to frame itself`	94	`# Only allow my site to frame itself`
95	`#add above# Header always add Content-Security-Policy "frame-ancestors 'self'"`	95	`#add above# Header always add Content-Security-Policy "frame-ancestors 'self'"`
96	`Header always set X-Frame-Options SAMEORIGIN`	96	`Header always set X-Frame-Options SAMEORIGIN`
Line 142...		Line 142...
142	`# Prevent browsers from incorrectly detecting non-scripts as scripts`	142	`# Prevent browsers from incorrectly detecting non-scripts as scripts`
143	`Header always set X-Content-Type-Options nosniff`	143	`Header always set X-Content-Type-Options nosniff`
144	`# Cors`	144	`# Cors`
145	`Header always set Access-Control-Allow-Origin "*"`	145	`Header always set Access-Control-Allow-Origin "*"`
146	`# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https`	146	`# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https`
147	Header always set Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src data: https://fonts.gstatic.com https://use.fontawesome.com; form-action 'self'; frame-src https://www.google.com https://www.youtube-nocookie.com; img-src 'self' data: http://abs.twimg.com https://abs.twimg.com https://.walmartimages.com https://images.samash.com https://img.discogs.com https://.googleusercontent.com https://.ebaystatic.com https://www.fye.com https://www.musicnotes.com https://www.secondspin.com https://platform-lookaside.fbsbx.com https://ad.linksynergy.com https://www.lduhtrp.net https://.wal.co https://cj.dotomi.com https://www.awltovhc.com https://www.ftjcfx.com https://www.tqlkg.com https://www.emjcd.com https://www.yceml.net https://beacon.affil.walmart.com https://assets.sheetmusicplus.com https://www0.alibris-static.com https://*.mzstatic.com https://via.placeholder.com https://images-na.ssl-images-amazon.com/images/ https://transform.dis.commercecloud.salesforce.com https://www.google-analytics.com https://m.media-amazon.com/images/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com/ajax/libs/jquery/ https://cdnjs.cloudflare.com/ajax/libs/popper.js/ https://maxcdn.bootstrapcdn.com/bootstrap/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.gstatic.com https://www.googletagmanager.com/gtag/js https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://maxcdn.bootstrapcdn.com/bootstrap/ https://use.fontawesome.com/releases/;frame-ancestors 'self'"	147	Header always set Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self' data: https://fonts.gstatic.com https://use.fontawesome.com; form-action 'self'; frame-src https://www.google.com https://www.youtube-nocookie.com; img-src 'self' data: http://abs.twimg.com https://abs.twimg.com https://.walmartimages.com https://images.samash.com https://img.discogs.com https://.googleusercontent.com https://.ebaystatic.com https://www.fye.com https://www.musicnotes.com https://www.secondspin.com https://platform-lookaside.fbsbx.com https://ad.linksynergy.com https://www.lduhtrp.net https://.wal.co https://cj.dotomi.com https://www.awltovhc.com https://www.ftjcfx.com https://www.tqlkg.com https://www.emjcd.com https://www.yceml.net https://beacon.affil.walmart.com https://assets.sheetmusicplus.com https://www0.alibris-static.com https://*.mzstatic.com https://via.placeholder.com https://images-na.ssl-images-amazon.com/images/ https://transform.dis.commercecloud.salesforce.com https://www.google-analytics.com https://m.media-amazon.com/images/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com/ajax/libs/jquery/ https://cdnjs.cloudflare.com/ajax/libs/popper.js/ https://maxcdn.bootstrapcdn.com/bootstrap/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.gstatic.com https://www.googletagmanager.com/gtag/js https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://maxcdn.bootstrapcdn.com/bootstrap/ https://use.fontawesome.com/releases/;frame-ancestors 'self'"
148	`# Disable referrers for browsers that don't support strict-origin-when-cross-origin; Uses strict-origin-when-cross-origin for browsers that do`	148	`# Disable referrers for browsers that don't support strict-origin-when-cross-origin; Uses strict-origin-when-cross-origin for browsers that do`
149	`Header always set Referrer-Policy "no-referrer"`	149	`Header always set Referrer-Policy "no-referrer"`
150	`# Only allow my site to frame itself`	150	`# Only allow my site to frame itself`
151	`#add above# Header always add Content-Security-Policy "frame-ancestors 'self'"`	151	`#add above# Header always add Content-Security-Policy "frame-ancestors 'self'"`
152	`Header always set X-Frame-Options SAMEORIGIN`	152	`Header always set X-Frame-Options SAMEORIGIN`
Line 197...		Line 197...
197	`# Prevent browsers from incorrectly detecting non-scripts as scripts`	197	`# Prevent browsers from incorrectly detecting non-scripts as scripts`
198	`Header always set X-Content-Type-Options nosniff`	198	`Header always set X-Content-Type-Options nosniff`
199	`# Cors`	199	`# Cors`
200	`Header always set Access-Control-Allow-Origin "*"`	200	`Header always set Access-Control-Allow-Origin "*"`
201	`# CSP calculated by FF Addon Laboratory`	201	`# CSP calculated by FF Addon Laboratory`
202	Header always set Content-Security-Policy "default-src 'none'; frame-src https://ws-na.amazon-adsystem.com https://www.youtube-nocookie.com; img-src 'self' data: https://www.google-analytics.com; script-src 'self' 'unsafe-inline' https://ajax.googleapis.com/ajax/libs/jquery/3.4.0/jquery.min.js https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtag/js; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/css/;frame-ancestors 'self'"	202	#Header always set Content-Security-Policy "default-src 'none'; frame-src https://ws-na.amazon-adsystem.com https://www.youtube-nocookie.com; img-src 'self' data: https://www.google-analytics.com; script-src 'self' 'unsafe-inline' https://ajax.googleapis.com/ajax/libs/jquery/3.4.0/jquery.min.js https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtag/js; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/css/;frame-ancestors 'self'"
203	`# Disable referrers for browsers that don't support strict-origin-when-cross-origin; Uses strict-origin-when-cross-origin for browsers that do`	203	`# Disable referrers for browsers that don't support strict-origin-when-cross-origin; Uses strict-origin-when-cross-origin for browsers that do`
204	`Header always set Referrer-Policy "no-referrer"`	204	`Header always set Referrer-Policy "no-referrer"`
205	`# Only allow my site to frame itself`	205	`# Only allow my site to frame itself`
206	`#add above# Header always add Content-Security-Policy "frame-ancestors 'self'"`	206	`#add above# Header always add Content-Security-Policy "frame-ancestors 'self'"`
207	`Header always set X-Frame-Options SAMEORIGIN`	207	`Header always set X-Frame-Options SAMEORIGIN`