From cc1da0773bc9088aea0c65a2ef89472db2862b2f Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Fri, 13 Sep 2019 16:02:48 +0200
Subject: [PATCH] Work around CSP form-action issue with CAS. Replace header
 with nicer values

---
 tmpl/portal-nginx.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tmpl/portal-nginx.conf b/tmpl/portal-nginx.conf
index 32464a1..c753c04 100644
--- a/tmpl/portal-nginx.conf
+++ b/tmpl/portal-nginx.conf
@@ -4,6 +4,7 @@
 #  default           "";
 #  ~/CN=(?<CN>[^/]+) $CN;
 #}
+%set %%webDomain = %%authWebName.split('.',1)[1]
 
 server {
   listen 80;
@@ -40,6 +41,8 @@ server {
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
     fastcgi_param PATH_INFO  $fastcgi_path_info;
+    fastcgi_hide_header Content-Security-Policy;
+    add_header Content-Security-Policy "default-src 'self'; form-action 'self' http://*.%%webDomain https://*.%%webDomain; object-src 'none'";
 
   }