Set content security policy http header for all responses #621
Conversation
|
Broke it again. Check the browser console. |
|
I checked it. What error do you see? |
|
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”). client.js:675 |
|
I cant reproduce that, but added unsafe-eval. Would be good if we could get rid of all the unsafe btw. |
|
Now I'm getting: To reproduce this, you have to be running |
Nutomic
force-pushed
the
csp-http-header2
branch
from
62153d2 to
88352b1
Compare
|
Found a way to fix it. |
|
This should be good to merge. |
|
Okay, but we gotta remember to check the federation test instances before we do our next deploy to make sure it didn't break websocket. |
|
Nevermind, I'm reverting this again as it broke development over a local network. |
…)" This reverts commit b77689e.
|
Actually there's another way to do it, I'll include that with another PR. |
Tested with this browser plugin that it works without any errors.
This site analyzes the policy. Main problems are
frame-ancestors(do we really want to block iframes?) andupgrade-insecure-requests(not sure if this would break http images).