Merge branch 'master' into feat/conf-repo

h5bp · Jan 3, 2020 · 278f515 · 278f515
2 parents f5cd127 + 5748d26
commit 278f515
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 5 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -20,7 +20,7 @@ jobs:
   include:
     - name: "Server Config Tests"
       install:
-        - curl -sSL https://github.com/h5bp/server-configs-test/releases/download/1.0.6/server-configs-test.tar.gz | tar -xz -C test/
+        - curl -sSL https://github.com/h5bp/server-configs-test/releases/download/1.2.2/server-configs-test.tar.gz | tar -xz -C test/
       before_script:
         - docker pull httpd
         - |
@@ -38,7 +38,7 @@ jobs:
         - docker logs server
     - name: ".htaccess Tests"
       install:
-        - curl -sSL https://github.com/h5bp/server-configs-test/releases/download/1.0.6/server-configs-test.tar.gz | tar -xz -C test/
+        - curl -sSL https://github.com/h5bp/server-configs-test/releases/download/1.2.2/server-configs-test.tar.gz | tar -xz -C test/
         - ./bin/build.sh test/fixtures/.htaccess test/build/htaccess_fixture.conf
       before_script:
         - docker pull httpd

diff --git a/src/security/content-security-policy.conf b/src/security/content-security-policy.conf
@@ -54,6 +54,13 @@
 #      website itself to be loaded over HTTPS you must include the
 #      `Strict-Transport-Security` header.
 #
+#  (6) The `Content-Security-Policy` header is included in all responses
+#      that are able to execute scripting. This includes the commonly used
+#      file types: HTML, XML and PDF documents. Although Javascript files
+#      can not execute script in a "browsing context", they are still included
+#      to target workers:
+#      https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#CSP_in_workers
+#
 # To make your CSP implementation easier, you can use an online CSP header
 # generator such as:
 # https://report-uri.com/home/generate/
@@ -68,6 +75,6 @@
 # https://www.w3.org/TR/CSP/
 
 <IfModule mod_headers.c>
-    #                                   (1)                 (2)              (3)                 (4)                     (5)
-    Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+    #                                   (1)                 (2)              (3)                 (4)                     (5)                         (6)
+    Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
 </IfModule>
diff --git a/src/web_performance/compression.conf b/src/web_performance/compression.conf
@@ -42,6 +42,7 @@
                                       "font/eot" \
                                       "font/opentype" \
                                       "font/otf" \
+                                      "font/ttf" \
                                       "image/bmp" \
                                       "image/svg+xml" \
                                       "image/vnd.microsoft.icon" \
@@ -69,7 +70,7 @@
     # (do note that this will NOT make Apache compress them!).
     #
     # If these files types would be served without an appropriate
-    # `Content-Enable` response header, client applications (e.g.:
+    # `Content-Encoding` response header, client applications (e.g.:
     # browsers) wouldn't know that they first need to uncompress
     # the response, and thus, wouldn't be able to understand the
     # content.