Embed CSP meta tag and stop using script-src unsafe-inline #12258
Conversation
There was a problem hiding this comment.
Looks great overall!
Please file a new issue for the unsafe-eval if we don't have one already (I'd like to use something separate from #3632 at least).
Thanks also for the font-src fix, and splitting child-src to frame-src and worker-src.
Safari doesn't yet support worker-src... Maybe it's best to keep child-src for older browsers, but also have frame-src and worker-src for newer ones?
…or backwards compat and split onto multiple lines for readability Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
Co-Authored-By: J. Ryan Stinnett <jryans@gmail.com>
|
Slightly off-topic, just in case someone wonders (like I did) what happens if CSP is defined as HTTP header and meta tag (which probably happens for self-hosted riot instances with CSP via HTTP header with this change):
|
Right, we'll remove the HTTP specified ones once this PR has been deployed to release. |
| default-src 'none'; | ||
| style-src 'self' 'unsafe-inline'; | ||
| script-src 'self' 'unsafe-eval' https://www.recaptcha.net https://www.gstatic.com; | ||
| img-src * blob: data:; |
There was a problem hiding this comment.
Why img-src *?
At the time I've suggested one it did seem to work without that (in my tests). Maybe I did not use/test some third-party image embedding loading?
That said, loading images directly from third-party servers may/should possibly be avoided due to privacy concerns, should not it?
There was a problem hiding this comment.
it was copied from the CSP header served at riot.im/app
I did not evaluate img-src, feel free to open an issue for it
* Remove allchange dependency Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Remove stale release scripts Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Update pull request template to remove allchange behaviours Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --------- Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
Fixes #3632