From 2db5cb74d72bdfb5492c371da861ddd823ab1002 Mon Sep 17 00:00:00 2001 From: Daniel Date: Sat, 11 Apr 2026 02:08:51 +0200 Subject: [PATCH] Fix SCORM content blocked by CSP and X-Frame-Options - Add 'self' to frame-src in CSP to allow same-origin iframes - Add 'unsafe-eval' to script-src (SCORM packages often use eval) - Add /uploads/scorm/ location that strips frame-blocking headers - SCORM content served without X-Frame-Options or CSP restrictions Co-Authored-By: Claude Opus 4.6 (1M context) --- frontend/nginx.conf | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/frontend/nginx.conf b/frontend/nginx.conf index 79d8f91..01e06f0 100644 --- a/frontend/nginx.conf +++ b/frontend/nginx.conf @@ -16,7 +16,7 @@ server { add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob: https://challenges.cloudflare.com; media-src 'self' blob:; connect-src 'self' https://challenges.cloudflare.com; font-src 'self' https://fonts.gstatic.com; frame-src https://challenges.cloudflare.com;" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob: https://challenges.cloudflare.com; media-src 'self' blob:; connect-src 'self' https://challenges.cloudflare.com; font-src 'self' https://fonts.gstatic.com; frame-src 'self' https://challenges.cloudflare.com;" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; # API proxy to backend @@ -35,6 +35,17 @@ server { proxy_read_timeout 600s; } + # SCORM content — no frame-blocking headers, allow scripts + location /uploads/scorm/ { + resolver 127.0.0.11 valid=10s; + set $backend http://backend:8000; + proxy_pass $backend; + proxy_set_header Host $host; + proxy_hide_header X-Frame-Options; + proxy_hide_header Content-Security-Policy; + add_header Cache-Control "public, max-age=86400"; + } + # Uploaded images proxy to backend location /uploads/ { resolver 127.0.0.11 valid=10s;