fleet/modules/web: drop Content-Security-Policy header, for now

Blocking inline scripts was causing Gerrit to load fonts from Google's CDN. Rather than adding the appropriate exception for this one instance, and giving myself a false sense of safety (which will inevitably result in me running into other subtle issues of this kind in the future), I'm going to disable the entire thing until I have time to set up reporting. Change-Id: I7c48e4f7d113ecc15dec0bb930918ccc691b124f
author: V <v@unfathomable.blue> 2022-05-14 22:23:06 +0200
committer: V <v@unfathomable.blue> 2022-05-14 23:17:42 +0200
commit: ebcdf459aa986141b396fbe05b080933b70c1659 (patch)
tree: 1ee49d759c45abb9a2f817a336ac4f9083be3265 /fleet/modules
parent: b7a18bdfb9e2453684a766f7f0f611ebbc0cf1ba (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/fleet/modules/web.nix b/fleet/modules/web.nix
index 97b67ca..248f78b 100644
--- a/fleet/modules/web.nix
+++ b/fleet/modules/web.nix
@@ -28,8 +28,7 @@
 
         header {
           Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
-          # TODO(V): Consider relaxing this a bit. Disabling JavaScript is bound to result in subtle breakage.
-          Content-Security-Policy "script-src 'none'; object-src 'none'"
+          # TODO(V): Define a content security policy. Make it report-only at first, to avoid breaking things.
           Permissions-Policy "interest-cohort=()"
           X-Clacks-Overhead "GNU Terry Pratchett"
         }
author	V <v@unfathomable.blue>	2022-05-14 22:23:06 +0200
committer	V <v@unfathomable.blue>	2022-05-14 23:17:42 +0200
commit	ebcdf459aa986141b396fbe05b080933b70c1659 (patch)
tree	1ee49d759c45abb9a2f817a336ac4f9083be3265 /fleet/modules
parent	b7a18bdfb9e2453684a766f7f0f611ebbc0cf1ba (diff)