I was playing around with the security settings in the nginx configuration and stumbled across this post.
But there were some problems with the online PDF viewer. I changed the lines to this
add_header Content-Security-Policy "default-src 'self'; script-src http://seafile.com/ https://www.seafile.com/ 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src blob: https://your.domain.com/ 'self'; font-src 'self'; connect-src 'self';";
At the end of loading the PDF online I get another error about a blocked src but everything is working fine.
(It's a "data:"-src which is getting blocked)
So my question: Is it safe to use those options and are those correct?