Learn more about these different git repos.
Other Git URLs
c163154
@@ -614,8 +614,9 @@
)
CSP_HEADERS = (
- "default-src 'self' https:; "
+ "default-src 'self';"
"script-src 'self' '{nonce_script}'; "
"style-src 'self' '{nonce_style}'; "
- "object-src" 'none'"
+ "object-src 'none';"
+ "base-uri 'self';"
Signed-off-by: Pierre-Yves Chibon pingou@pingoured.fr
rebased onto c163154
:thumbsup:
Does docs work with this? We don't have a frame-src and default does not include https: after this. Embedded docs iframe should fail.
https:
We could add frame-src and connect-src statements when docs and ev are enabled on the config
frame-src
connect-src
This is the default and should be tweaked by the admins according to their configuration. Since we do not have neither EV nor docs on by default I think it's fine as is.
However, it may be good to make this explicit in the docs, would you like to open a PR to that end?
works for me. :thumbsup:
Thanks :)
Pull-Request has been merged by pingou
pingou
commented 4 years ago
Signed-off-by: Pierre-Yves Chibon pingou@pingoured.fr