by nickrickard, Thursday, May 11, 2023, 09:54 (405 days ago)

I'm sharing this to get feedback if I can improve it or to help others. I didn't see anything about it in the documentation. From a bit of testing, I think the minimal Content-Security-Policy header permissions required on the server to allow selfoss to run are:

add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; img-src 'self'; object-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; block-all-mixed-content; frame-ancestors 'none';" always;

(This is nginx syntax but you'll get the idea for Apache.)

Any thoughts, please? Maybe to add to the 'nginx configuration' wiki if it looks okay?


by jtojnar, Thursday, May 11, 2023, 15:43 (405 days ago) @ nickrickard

Thanks. Ideally we would have selfoss send the CSP headers by default but I have not gotten around to considering all the implications yet. We are tracking this in

Main issue I see is that, we load images from the original sites (except for the thumbnails, which selfoss caches) by default so image-src 'self' will prevent them from loading. But it can be fine if you mostly read articles on the original sites, rather than directly in selfoss.

Also object-src can probably be removed (so it defaults to none).


by nickrickard, Thursday, May 11, 2023, 17:30 (405 days ago) @ jtojnar

img-src *; is therefore better for remote images in articles. I thought my selfoss had stopped working when I removed object-src but I've just (re)tried it and it seems fine.

RSS Feed of thread
powered by my little forum