Content Security Policy (CSP)


#1

I was playing around with the security settings in the nginx configuration and stumbled across this post.

But there were some problems with the online PDF viewer. I changed the lines to this

add_header Content-Security-Policy "default-src 'self'; script-src http://seafile.com/ https://www.seafile.com/ 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src blob: https://your.domain.com/ 'self'; font-src 'self'; connect-src 'self';";

At the end of loading the PDF online I get another error about a blocked src but everything is working fine.
(It’s a “data:”-src which is getting blocked)

So my question: Is it safe to use those options and are those correct?


#2

Thanks for sharing @littlecoce. I would love to know how to properly configure CSP with seafile aswell.


#3

Check security server best CSP i could find so far.