; Settings for Content Security Policy header; you can learn more here: ; https://vufind.org/wiki/administration:security:content_security_policy [CSP] ; This setting can be used to control the operating mode for each APPLICATION_ENV ; value (written as an array key below). Please note that the Whoops error handler ; (enabled in development mode) does not show correctly when enabled[development] is ; set to true. ; ; Following options are supported: ; false - Disabled ; "report_only" - Enabled in report-only mode (default). See report-to setting below. ; true - Enabled in enforcing mode enabled[production] = "report_only" enabled[development] = "report_only" ; The nonce (number used once) - unique number for each request. It is strongly ; recommended to keep this setting on. The generated nonce directive is automatically ; added to script-src directives if any are set in [Directives] below. use_nonce = true ; Directives; you can find a list of available directives on this page: ; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy ; For evaluation of CSP you can use this tool provided by Google: ; https://csp-evaluator.withgoogle.com/ ; See also the VuFind wiki for additional recommendations and tools: ; https://vufind.org/wiki/administration:security:content_security_policy [Directives] ; default of 'self' with 'none' on child, object, prefetch allows SVG requests. default-src[] = "'self'" child-src[] = "'none'" object-src[] = "'none'" ; 'strict-dynamic' allows any trusted script to load other scripts with a hash. ; Safari 15.3 and earlier does not support this feature. Since these browser ; versions constitute a significant portion of users, especially mobile users, ; 'strict-dynamic' is disabled by default. ; https://caniuse.com/mdn-http_headers_content-security-policy_strict-dynamic ;script-src[] = "'strict-dynamic'" ; backwards compatible to CSP 2 script-src[] = "http:" script-src[] = "https:" ;script-src-elem[] = "'self'" connect-src[] = "'self'" ; If you are using Google Analytics, uncomment the line below ;connect-src[] = "https://*.google-analytics.com" ; worker-src required for jsTree with browsers that don't support 'strict-dynamic' (e.g. Safari): worker-src[] = "blob:" style-src[] = "'self'" style-src[] = "'unsafe-inline'" img-src[] = "'self'" ; If you are using LibGuidesProfile recommendation module, uncomment the line below ;img-src[] = libapps.s3.amazonaws.com ; If you are using MapSelection recommendation module, uncomment a line below ; for the basemap you are using: ;img-src[] = "https://maps.wikimedia.org" ;img-src[] = "http://tile.stamen.com" ;img-src[] = "http://basemaps.cartocdn.com" ; If you are using ObalkyKnih as cover service you will need to uncomment the two ; lines below. Note these are default URLs; their change is unlikely but possible, ; so you should ensure they are still valid. ;img-src[] = https://cache.obalkyknih.cz ;img-src[] = https://cache2.obalkyknih.cz ;img-src[] = https://cache3.obalkyknih.cz ; For OverDrive records, uncomment the line below. ;img-src[] = https://*.od-cdn.com font-src[] = "'self'" base-uri[] = "'self'" ; Provide both report-uri and report-to headers to capture CSP violations. Each is supported ; by different browsers. See ; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri ; ; Set URI that some browsers use to report CSP violation. ;report-uri[] = 'https://example.report-uri.com' ; Set the named endpoint that other borwsers use to report CSP violations. The endpoint name ; should match a group name in ReportTo below. ;report-to[] = 'CSPReportingEndpoint' ; Define the Report-To response header endpoint groups. See ; https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to ;[ReportTo] ;groups[] = 'CSPReportingEndpoint' ; Define each endpoint group named in ReportTo above. ;[ReportToCSPReportingEndpoint] ; Maximum seconds to use this reporting endpoint. Default (86400) is one day. ;max_age = 86400 ; URL(s) for this reporting endpoint ;endpoints_url[] = 'https://example.report-uri.com' ; Send the NEL (Network Error Logging) HTTP response header. ; See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/NEL ;[NetworkErrorLogging] ; Set the named endpoint that browsers use to report network errors. The endpoint name ; should match a group name in ReportTo above. ;report_to = CSPReportingEndpoint ; Maximum seconds to use this reporting endpoint. Default (86400) is one day. ;max_age = 86400 ; The following properties are optional in the NEL specification, so VuFind will include ; them in the NEL response header only if they are specified here. See definitions at ; https://w3c.github.io/network-error-logging/#nel-response-header ;include_subdomains = false ;failure_fraction = 1.0