Revert "blogs: add CSP report header to blog sites"

timmywil · timmywil · commit 0061d2e7778d · 2024-12-24T14:14:26.000-05:00
This reverts commit 7019e41.
diff --git a/hieradata/environments/production/roles/blogs.yaml b/hieradata/environments/production/roles/blogs.yaml
@@ -5,7 +5,6 @@ profile::certbot::certificates:
 
 profile::wordpress::blogs::admin_email: infrastructure-team@jquery.com
 profile::wordpress::blogs::wordpress_version: ~
-profile::wordpress::blogs::csp_header: "default-src 'self'; script-src 'self' code.jquery.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint"
 profile::wordpress::blogs::sites:
   jquery:
     host: blog.jquery.com
diff --git a/modules/profile/manifests/wordpress/base.pp b/modules/profile/manifests/wordpress/base.pp
@@ -3,7 +3,6 @@
   String[1]           $innodb_buffer_pool_size = lookup('profile::wordpress::base::mariadb_innodb_buffer_pool_size', {default_value => '512M'}),
   String[1]           $wordpress_cli_version   = lookup('profile::wordpress::base::wordpress_cli_version'),
   Optional[String[1]] $default_site_cert       = lookup('profile::wordpress::base::default_site_cert', {default_value => undef}),
-  Optional[String[1]] $csp_header              = undef,
 ) {
   file { '/srv/mariadb':
     ensure => directory,
diff --git a/modules/profile/manifests/wordpress/blogs.pp b/modules/profile/manifests/wordpress/blogs.pp
@@ -5,11 +5,8 @@
   String[1]                        $db_password_seed  = lookup('profile::wordpress::blogs::db_password_seed'),
   Stdlib::Email                    $admin_email       = lookup('profile::wordpress::blogs::admin_email'),
   String[1]                        $admin_password    = lookup('profile::wordpress::blogs::admin_password'),
-  String[1]                        $csp_header        = lookup('profile::wordpress::blogs::csp_header'),
 ) {
-  class { 'profile::wordpress::base':
-    csp_header => $csp_header,
-  }
+  include profile::wordpress::base
 
   git::clone { 'blog.jquery.com-theme':
     path   => '/srv/wordpress/blog.jquery.com-theme',
diff --git a/modules/profile/templates/wordpress/base/default-tls.nginx.erb b/modules/profile/templates/wordpress/base/default-tls.nginx.erb
@@ -14,12 +14,6 @@ server {
 
   server_tokens off;
 
-<%- if @csp_header -%>
-  # Add Content Security Policy headers
-  add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
-  add_header Content-Security-Policy-Report-Only "<%= @csp_header %>" always;
-<%- end -%>
-
   location /.well-known/acme-challenge {
     root /var/www/letsencrypt/;
   }
