Audit screenshots.firefox.com CSP

[ghost]

see comment further down

[ghost]

Ok, I think I copied from the wrong site. This is screenshots.firefox.com:

 Content-Security-Policy: 
   default-src 'self'; 
   img-src 'self' stable.dev.lcip.org www.google-analytics.com screenshotscdn.firefox.com screenshotscdn.firefoxusercontent.com screenshots.firefoxusercontent.com data:; 
   script-src 'self' screenshotscdn.firefox.com www.google-analytics.com 'nonce-74c01282-fc60-493c-b255-3bc4d36bebb7'; 
   style-src 'self' screenshotscdn.firefox.com 'unsafe-inline' https://code.cdn.mozilla.net; 
   connect-src 'self' screenshotscdn.firefox.com www.google-analytics.com sentry.prod.mozaws.net; 
   font-src https://code.cdn.mozilla.net; 
   frame-ancestors 'none'; 
   object-src 'none';

So, the questions I see from this are:

• Do we need stable.dev.lcip.org for images?
• Do we need unsafe-inline for styles?

[chenba]

• stable.dev.lcip.org (or whatever's configured for FxA) is necessary because of the FxA user profile image.
• There are some inline style. And for something that's per shot, like the favicon (set as a background-image), setting it dynamically inline make sense. It might make more sense to use <img>. So we just need to go through all the inline style and review them if we want to remove them.

[ghost]

Thanks Barry!