#8062 pagure: tune in CSP headers
Closed: Fixed 6 months ago by pingou. Opened 6 months ago by jlanda.

With pagure 5.7.2 we went further restricting content security policies and we need some custom headers for stg.pagure.io

The previous one had a typo on ev port .

Don't merge this yet, I want to discuss about img-src with @pingou

After discussing with @pingou , we agreed going with a more permissive img-src policy .

Metadata Update from @pingou:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 months ago

It seems it's the error that is preventing avatars from correctly being displayed on 5.7.2 ? https://git.dev.centos.org doesn't display avatars anymore, while the link to libravatar is still correct and so open the image in a second window fine

@arrfab yep, we went too far hardening content security polices.

For the avatars, you'll need to add a more permissive img-src policy.img-src 'self' http:; should fix that.

I don't know how is the centos instance configured, but in case you're using the ev service, you'll also need to modify the connect-src policy: connect-src 'self' https://{{insert_ev_public_host_and_port_here}};

If docs is enabled, you'll need "frame-src {{ insert_docs_public_host_here }};"

Yeah, we should document this on pagure

Login to comment on this ticket.