removed 'Content-Security-Policy' header from opt-ins

2021-12-31 23:36:05 +01:00 · 2021-12-31 23:36:05 +01:00 · f028bfec59
parent 781b7c6f3b
commit f028bfec59
2 changed files with 1 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -64,9 +64,6 @@ This will also be done automatically if no domain is supplied.
 * **Warning:** Not every setting/variable you provide will be checked for validity. Bad config might break the role!


-* **Warning:** If you run a web application you might need to disable the 'Content-Security-Policy' header!
-
-
 * **Info:** To disable default settings and headers => just set their value to: ''


--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -57,7 +57,7 @@ default_apache:
    # if first key does not include 'Header' => prepend 'Header set'
    'Header always set Strict-Transport-Security': '"max-age=31536000; includeSubDomains; preload"'
    'Referrer-Policy': '"same-origin"'
-    'Content-Security-Policy': "\"default-src 'self';\""
+    # 'Content-Security-Policy': "\"default-src 'self';\""  # disabled since it blocks too many common use-cases
    'X-Frame-Options': 'SAMEORIGIN'
    'X-Content-Type-Options': 'nosniff'
    'X-Permitted-Cross-Domain-Policies': '"none"'