From 5e755fff9d70a7fd3c4f85bb524f1b774dd85b25 Mon Sep 17 00:00:00 2001 From: Rigel Kent Date: Thu, 13 Dec 2018 09:49:45 +0100 Subject: add Content Security Policy (#1252) * add Content Security Policy * remove reflect-metadata on production builds to get rid of unsafe-eval * fix baseCSP usage * add SRI to CSP * add blob: to media-src * remove SRI * CSP set to reportOnly * adding data: to connect-src CSP * remove block-all-mixed-content * add report-uri support --- config/default.yaml | 2 ++ config/production.yaml.example | 2 ++ 2 files changed, 4 insertions(+) (limited to 'config') diff --git a/config/default.yaml b/config/default.yaml index 080638a13..5fdb41250 100644 --- a/config/default.yaml +++ b/config/default.yaml @@ -163,6 +163,8 @@ instance: "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:" services: + # You can provide a reporting endpoint for Content Security Policy violations + csp-logger: # Cards configuration to format video in Twitter twitter: username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published diff --git a/config/production.yaml.example b/config/production.yaml.example index 770bb97da..c0dbf64b6 100644 --- a/config/production.yaml.example +++ b/config/production.yaml.example @@ -177,6 +177,8 @@ instance: "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:" services: + # You can provide a reporting endpoint for Content Security Policy violations + csp-logger: # Cards configuration to format video in Twitter twitter: username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published -- cgit v1.2.3