diff --git a/frontend/nginx.conf b/frontend/nginx.conf index 79d8f91..01e06f0 100644 --- a/frontend/nginx.conf +++ b/frontend/nginx.conf @@ -16,7 +16,7 @@ server { add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob: https://challenges.cloudflare.com; media-src 'self' blob:; connect-src 'self' https://challenges.cloudflare.com; font-src 'self' https://fonts.gstatic.com; frame-src https://challenges.cloudflare.com;" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob: https://challenges.cloudflare.com; media-src 'self' blob:; connect-src 'self' https://challenges.cloudflare.com; font-src 'self' https://fonts.gstatic.com; frame-src 'self' https://challenges.cloudflare.com;" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; # API proxy to backend @@ -35,6 +35,17 @@ server { proxy_read_timeout 600s; } + # SCORM content — no frame-blocking headers, allow scripts + location /uploads/scorm/ { + resolver 127.0.0.11 valid=10s; + set $backend http://backend:8000; + proxy_pass $backend; + proxy_set_header Host $host; + proxy_hide_header X-Frame-Options; + proxy_hide_header Content-Security-Policy; + add_header Cache-Control "public, max-age=86400"; + } + # Uploaded images proxy to backend location /uploads/ { resolver 127.0.0.11 valid=10s;