Content-Security-Policy

by nickrickard, Thursday, May 11, 2023, 09:54 (405 days ago)

I'm sharing this to get feedback if I can improve it or to help others. I didn't see anything about it in the documentation. From a bit of testing, I think the minimal Content-Security-Policy header permissions required on the server to allow selfoss to run are:

add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; img-src 'self'; object-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; block-all-mixed-content; frame-ancestors 'none';" always;

(This is nginx syntax but you'll get the idea for Apache.)

Any thoughts, please? Maybe to add to the 'nginx configuration' wiki if it looks okay?

Content-Security-Policy

by jtojnar, Thursday, May 11, 2023, 15:43 (405 days ago) @ nickrickard

Thanks. Ideally we would have selfoss send the CSP headers by default but I have not gotten around to considering all the implications yet. We are tracking this in https://github.com/fossar/selfoss/issues/891.

Main issue I see is that, we load images from the original sites (except for the thumbnails, which selfoss caches) by default so image-src 'self' will prevent them from loading. But it can be fine if you mostly read articles on the original sites, rather than directly in selfoss.

Also object-src can probably be removed (so it defaults to none).

Content-Security-Policy

by nickrickard, Thursday, May 11, 2023, 17:30 (405 days ago) @ jtojnar

img-src *; is therefore better for remote images in articles. I thought my selfoss had stopped working when I removed object-src but I've just (re)tried it and it seems fine.

RSS Feed of thread
powered by my little forum