From 054d2805727dc7b7a74b9643529d935a42a7c920 Mon Sep 17 00:00:00 2001
From: bnewbold <bnewbold@robocracy.org>
Date: Thu, 9 Jun 2016 20:28:19 -0400
Subject: nginx: Content-Security-Policy that doesn't clobber inline css (WTF)

---
 roles/nginx/HOWTO_new_site.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/nginx/HOWTO_new_site.txt b/roles/nginx/HOWTO_new_site.txt
index 0989efd..8126739 100644
--- a/roles/nginx/HOWTO_new_site.txt
+++ b/roles/nginx/HOWTO_new_site.txt
@@ -40,8 +40,8 @@ For SSL stuff, add this to the body:
 
      ssl_certificate /etc/letsencrypt/live/<cert-name>/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/<cert-name>/privkey.pem;
-    
-     add_header Content-Security-Policy "default-src 'self'";
+   
+     add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'";
      add_header X-Frame-Options "SAMEORIGIN";       # 'always' if nginx > 1.7.5
      add_header X-Content-Type-Options "nosniff";   # 'always' if nginx > 1.7.5
      add_header X-Xss-Protection "1";
-- 
cgit v1.2.3