Fix SCORM content blocked by CSP and X-Frame-Options
- Add 'self' to frame-src in CSP to allow same-origin iframes - Add 'unsafe-eval' to script-src (SCORM packages often use eval) - Add /uploads/scorm/ location that strips frame-blocking headers - SCORM content served without X-Frame-Options or CSP restrictions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
d44ad883e9
commit
2db5cb74d7
1 changed files with 12 additions and 1 deletions
|
|
@ -16,7 +16,7 @@ server {
|
|||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob: https://challenges.cloudflare.com; media-src 'self' blob:; connect-src 'self' https://challenges.cloudflare.com; font-src 'self' https://fonts.gstatic.com; frame-src https://challenges.cloudflare.com;" always;
|
||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob: https://challenges.cloudflare.com; media-src 'self' blob:; connect-src 'self' https://challenges.cloudflare.com; font-src 'self' https://fonts.gstatic.com; frame-src 'self' https://challenges.cloudflare.com;" always;
|
||||
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
|
||||
|
||||
# API proxy to backend
|
||||
|
|
@ -35,6 +35,17 @@ server {
|
|||
proxy_read_timeout 600s;
|
||||
}
|
||||
|
||||
# SCORM content — no frame-blocking headers, allow scripts
|
||||
location /uploads/scorm/ {
|
||||
resolver 127.0.0.11 valid=10s;
|
||||
set $backend http://backend:8000;
|
||||
proxy_pass $backend;
|
||||
proxy_set_header Host $host;
|
||||
proxy_hide_header X-Frame-Options;
|
||||
proxy_hide_header Content-Security-Policy;
|
||||
add_header Cache-Control "public, max-age=86400";
|
||||
}
|
||||
|
||||
# Uploaded images proxy to backend
|
||||
location /uploads/ {
|
||||
resolver 127.0.0.11 valid=10s;
|
||||
|
|
|
|||
Loading…
Reference in a new issue