Nginx: provide mechanism to switch CSP mode

Author: djbe

README.md

@@ -14,6 +14,10 @@ Images with `nginx` can be configured using the following environment variables.
 
 ### Content Security Policy
 
+You can control the CSP behaviour with the `NGINX_CSP_MODE` key:
+- `enforce` (default): Configure the `Content-Security-Policy` header.
+- `report-only`: Instead configure the `Content-Security-Policy-Report-Only` header.
+
 Fetch:
 
 | Environment Key | Applied | Description | Default |

common/config/nginx/snippets/headers/security-web-content.conf

@@ -1,10 +1,11 @@
 include /etc/nginx/snippets/headers/security-base.conf;
 
-# $content_security_policy, $x_frame_options and $x_robots_tag are set in the
-# `http` block, generated via a script.
+# $content_security_policy (and …_report_only), $x_frame_options and
+# $x_robots_tag are set in the `http` block, generated via a script.
 
 # Which content is allowed to load (CSP)
 add_header 'Content-Security-Policy' $content_security_policy always;
+add_header 'Content-Security-Policy-Report-Only' $content_security_policy_report_only always;
 
 # Disable embedding
 # TODO: only works if resource has CORP header

common/scripts/startup/50-env-configure-nginx-csp.sh

@@ -5,15 +5,27 @@ set -euo pipefail
 # Configure nginx security based on ENV vars.
 #
 # Inputs (aside from all the individual CSP settings):
+# - NGINX_CSP_MODE: defaults to 'enforce'
 # - NGINX_CSP_REPORT_URI: defaults to ''
 # - NGINX_FRAME_OPTIONS: defaults to 'deny', note that setting to `disable` removes the header completely.
 
 # Set defaults
 NGINX_CONFIG_FILE='/etc/nginx/snippets/vars/csp-and-robots.conf'
 NGINX_CSP_ITEMS='child-src connect-src font-src form-action frame-ancestors frame-src img-src manifest-src media-src object-src require-trusted-types-for script-src style-src trusted-types worker-src'
+NGINX_CSP_MODE="${NGINX_CSP_MODE:-enforce}"
 NGINX_CSP_REPORT_URI="${NGINX_CSP_REPORT_URI:-}"
 NGINX_FRAME_OPTIONS="${NGINX_FRAME_OPTIONS:-deny}"
 
+# Validate input
+if [ "${NGINX_CSP_MODE}" = 'enforce' ]; then
+  NGINX_CSP_VAR_NAME='content_security_policy'
+elif [ "${NGINX_CSP_MODE}" = 'report-only' ]; then
+  NGINX_CSP_VAR_NAME='content_security_policy_report_only'
+else
+  echo "Nginx: invalid CSP mode ${NGINX_CSP_MODE}"
+  exit 1
+fi
+
 # Check nginx structure
 if [ ! -f "${NGINX_CONFIG_FILE}" ]; then
   echo "Nginx: var-csp-and-robots.conf file is missing, skipping configuring it…"
@@ -60,15 +72,20 @@ csp_item() {
 nginx_csp_definition() {
   name="$1"
 
-  nginx_var_definition "$name" "$(
-    printf "default-src 'self';"
-    for item in $NGINX_CSP_ITEMS; do
-      csp_item "$item"
-    done
-    csp_item 'report-uri' "$NGINX_CSP_REPORT_URI"
-  )"
+  if [ "$name" = "$NGINX_CSP_VAR_NAME" ]; then
+    nginx_var_definition "$name" "$(
+      printf "default-src 'self';"
+      for item in $NGINX_CSP_ITEMS; do
+        csp_item "$item"
+      done
+      csp_item 'report-uri' "$NGINX_CSP_REPORT_URI"
+    )"
+  else
+    nginx_var_definition "$name" ''
+  fi
 }
 
 # nginx content policy
 echo "Nginx: configuring content security policy…"
 nginx_csp_definition content_security_policy >> "${NGINX_CONFIG_FILE}"
+nginx_csp_definition content_security_policy_report_only >> "${NGINX_CONFIG_FILE}"