From 5e755fff9d70a7fd3c4f85bb524f1b774dd85b25 Mon Sep 17 00:00:00 2001
From: Rigel Kent <par@rigelk.eu>
Date: Thu, 13 Dec 2018 09:49:45 +0100
Subject: add Content Security Policy (#1252)

* add Content Security Policy

* remove reflect-metadata on production builds to get rid of unsafe-eval

* fix baseCSP usage

* add SRI to CSP

* add blob: to media-src

* remove SRI

* CSP set to reportOnly

* adding data: to connect-src CSP

* remove block-all-mixed-content

* add report-uri support
---
 config/default.yaml            | 2 ++
 config/production.yaml.example | 2 ++
 2 files changed, 4 insertions(+)

(limited to 'config')

diff --git a/config/default.yaml b/config/default.yaml
index 080638a13..5fdb41250 100644
--- a/config/default.yaml
+++ b/config/default.yaml
@@ -163,6 +163,8 @@ instance:
     "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
 
 services:
+  # You can provide a reporting endpoint for Content Security Policy violations
+  csp-logger:
   # Cards configuration to format video in Twitter
   twitter:
     username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
diff --git a/config/production.yaml.example b/config/production.yaml.example
index 770bb97da..c0dbf64b6 100644
--- a/config/production.yaml.example
+++ b/config/production.yaml.example
@@ -177,6 +177,8 @@ instance:
     "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
 
 services:
+  # You can provide a reporting endpoint for Content Security Policy violations
+  csp-logger:
   # Cards configuration to format video in Twitter
   twitter:
     username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
-- 
cgit v1.2.3