nginx: remove new lines from csp headers

jquery · Nov 16, 2024 · af18907 · af18907
1 parent cc72233
commit af18907
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 31 deletions.
diff --git a/modules/profile/templates/contentorigin/site.nginx.erb b/modules/profile/templates/contentorigin/site.nginx.erb
@@ -15,15 +15,7 @@ server {
 
   # Add Content Security Policy headers
   add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
-  add_header Content-Security-Policy-Report-Only "
-    default-src 'self';
-    script-src 'self' code.jquery.com;
-    connect-src 'self';
-    img-src 'self';
-    style-src 'self';
-    report-uri https://csp-report-api.openjs-foundation.workers.dev/;
-    report-to csp-endpoint
-  ";
+  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
 
   location / {
     root /srv/www/content.jquery.com;

diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb
@@ -21,15 +21,7 @@ server {
     add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
     # script-src: add 'unsafe-eval' for the search functionality on gruntjs.com/plugins
     # Search will need to be reimplemented to remove this exception.
-    add_header Content-Security-Policy-Report-Only "
-      default-src 'self';
-      script-src 'self' 'unsafe-eval';
-      connect-src 'self';
-      img-src 'self';
-      style-src 'self';
-      report-uri https://csp-report-api.openjs-foundation.workers.dev/;
-      report-to csp-endpoint
-    " always;
+    add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint" always;
   }
 
   location /.well-known/acme-challenge {

diff --git a/modules/profile/templates/miscweb/site.nginx.erb b/modules/profile/templates/miscweb/site.nginx.erb
@@ -21,24 +21,13 @@ server {
   # Add Content Security Policy headers
   add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
 <%- if @site['csp_header'] -%>
-  add_header Content-Security-Policy-Report-Only "
-    <%= @site['csp_header'] %>
-  ";
+  add_header Content-Security-Policy-Report-Only "<%= @site['csp_header'] %>";
 <%- else -%>
   # script-src: add 'wasm-unsafe-eval' for WebAssembly-driven search on
   #   bugs.jquery.com, bugs.jqueryui.com, and plugins.jquery.com
   # img-src: allow secure.gravatar.com images on plugins.jquery.com
   # media-src: allow content.jquery.com media on podcast.jquery.com
-  add_header Content-Security-Policy-Report-Only "
-    default-src 'self';
-    script-src 'self' 'wasm-unsafe-eval' code.jquery.com;
-    connect-src 'self';
-    img-src 'self' secure.gravatar.com;
-    style-src 'self';
-    media-src 'self' content.jquery.com;
-    report-uri https://csp-report-api.openjs-foundation.workers.dev/;
-    report-to csp-endpoint
-  ";
+  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' code.jquery.com; connect-src 'self'; img-src 'self' secure.gravatar.com; style-src 'self'; media-src 'self' content.jquery.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
 <%- end -%>
 
 <%- if @site['allow_php'] -%>