From ebcdf459aa986141b396fbe05b080933b70c1659 Mon Sep 17 00:00:00 2001
From: V <v@unfathomable.blue>
Date: Sat, 14 May 2022 22:23:06 +0200
Subject: fleet/modules/web: drop Content-Security-Policy header, for now

Blocking inline scripts was causing Gerrit to load fonts from Google's
CDN. Rather than adding the appropriate exception for this one instance,
and giving myself a false sense of safety (which will inevitably result
in me running into other subtle issues of this kind in the future), I'm
going to disable the entire thing until I have time to set up reporting.

Change-Id: I7c48e4f7d113ecc15dec0bb930918ccc691b124f
---
 fleet/hosts/kaikou/gerrit.nix | 2 --
 1 file changed, 2 deletions(-)

(limited to 'fleet/hosts')

diff --git a/fleet/hosts/kaikou/gerrit.nix b/fleet/hosts/kaikou/gerrit.nix
index ff05f2d..f97ba23 100644
--- a/fleet/hosts/kaikou/gerrit.nix
+++ b/fleet/hosts/kaikou/gerrit.nix
@@ -35,8 +35,6 @@
   services.caddy.config = ''
     review.unfathomable.blue {
       import common
-      # This is to override the stronger policy set in //modules/web.nix.
-      header Content-Security-Policy "script-src https://review.unfathomable.blue/; object-src 'none'"
       reverse_proxy localhost:8080
     }
   '';
-- 
cgit 1.4.1