Content-Security-Policy
Thanks. Ideally we would have selfoss send the CSP headers by default but I have not gotten around to considering all the implications yet. We are tracking this in https://github.com/fossar/selfoss/issues/891.
Main issue I see is that, we load images from the original sites (except for the thumbnails, which selfoss caches) by default so image-src 'self'
will prevent them from loading. But it can be fine if you mostly read articles on the original sites, rather than directly in selfoss.
Also object-src
can probably be removed (so it defaults to none
).
Complete thread:
- Content-Security-Policy -
nickrickard,
2023-05-11, 09:54
- Content-Security-Policy -
jtojnar,
2023-05-11, 15:43
- Content-Security-Policy - nickrickard, 2023-05-11, 17:30
- Content-Security-Policy -
jtojnar,
2023-05-11, 15:43