# OCIS Web — Content Security Policy overrides for local development.
#
# Default OCIS CSP only allows connect-src to 'self' + the owncloud awesome-ocis
# repo, which blocks the OIDC metadata fetch from Authentik. We extend connect-src
# (and a few related directives) to include auth.dezky.local.
#
# Values like "blob:" and "data:" MUST be quoted — bare they're parsed as YAML
# mappings and the proxy service crashes with "expected type 'string'".

directives:
  child-src:
    - "'self'"
  connect-src:
    - "'self'"
    - "blob:"
    - "https://auth.dezky.local"
    - "https://raw.githubusercontent.com/owncloud/awesome-ocis/"
  default-src:
    - "'none'"
  font-src:
    - "'self'"
  frame-ancestors:
    - "'self'"
  frame-src:
    - "'self'"
    - "blob:"
    - "https://embed.diagrams.net/"
    - "https://office.dezky.local"
    - "https://collaboration.dezky.local"
  img-src:
    - "'self'"
    - "data:"
    - "blob:"
    - "https://raw.githubusercontent.com/owncloud/awesome-ocis/"
  manifest-src:
    - "'self'"
  media-src:
    - "'self'"
  object-src:
    - "'self'"
    - "blob:"
  script-src:
    - "'self'"
    - "'unsafe-inline'"
    - "'unsafe-eval'"
  style-src:
    - "'self'"
    - "'unsafe-inline'"