some CSP fixes

build/Dockerfile

@@ -86,11 +86,11 @@ ENV NOMINATIM_URL="https://nominatim.openstreetmap.org"
 # (also see Developer Documentation: https://aam-digital.github.io/ndb-core/documentation/additional-documentation/concepts/security.html)
 ENV CSP_REPORT_URI="https://o167951.ingest.sentry.io/api/1242399/security/"
 # overwrite the Content-Security-Policy rules (report-uri is added automatically)
-## default includes all required whitelists for production server
-## to disable any CSP blocking, set to "default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'"
-ENV CSP="default-src 'self' 'unsafe-eval' data: https://*.tile.openstreetmap.org/ https://matomo.aam-digital.org  https://*.aam-digital.com https://api.github.com/repos/Aam-Digital/ https://sentry.io $CSP_REPORT_URI 'sha256-gtzIf+c+ujwirISvjI8lnwlaZwnMkh04eA9ZDBCd8TY='; style-src 'self' 'unsafe-inline'"
-### 'sha256-gtzIf+c+ujwirISvjI8lnwlaZwnMkh04eA9ZDBCd8TY=' for index.html writing browser details
-### 'unsafe-eval' required for pouchdb https://github.com/pouchdb/pouchdb/issues/7853#issuecomment-535020600
+# default includes all required whitelists for production server
+# to disable any CSP blocking, set to "default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'"
+ENV CSP="default-src 'self' 'unsafe-eval' 'unsafe-inline' data: blob: https://*.tile.openstreetmap.org/ https://matomo.aam-digital.org  https://*.aam-digital.com https://api.github.com/repos/Aam-Digital/ https://sentry.io $CSP_REPORT_URI; style-src 'self' 'unsafe-inline'"
+# 'unsafe-eval' required for pouchdb https://github.com/pouchdb/pouchdb/issues/7853#issuecomment-535020600
+# TODO remove 'unsave-inline' and fix the reported issues
 
 # variables are inserted into the nginx config
 CMD envsubst '$$PORT $$COUCHDB_URL $$QUERY_URL $$NOMINATIM_URL $$CSP $$CSP_REPORT_URI' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\

build/default.conf

@@ -10,7 +10,8 @@ server {
 
     root /usr/share/nginx/html;
 
-    add_header Content-Security-Policy-Report-Only "${CSP}; report-uri ${CSP_REPORT_URI}";
+    add_header Content-Security-Policy-Report-Only "${CSP}; report-uri ${CSP_REPORT_URI}?ngsw-bypass=true";
+    # ?ngsw-bypass prevents angular serviceworker to intercept and break CSP reporting (https://github.com/angular/angular/issues/31477)
 
     # TODO: consider adding `trusted-types angular angular#unsafe-bypass; require-trusted-types-for 'script';` CSP in future
     add_header X-Frame-Options: SAMEORIGIN; # only applies in older browsers, CSP frame-ancestors takes prevalence https://stackoverflow.com/a/40417609/1473411