Set Content-Security-Policy rules through RoR's config #8957
Conversation
|
FYI, this change causes an error with embeds from external instances:
To reproduce, find a toot with media that's from an instance other than your own, then choose "embed" from the ... overflow menu. You can view the errors in the console. I used this toot for the example: https://toot-lab.reclaim.technology/@djsundog/100879221677869657 but you'll need to find one from your timeline in order to get the "embed" option. I'm not sure how much it matters though? I almost feel like blocking third party JS here is a feature. I can live without external formatting. |
|
This is probably much worse: the change also prevents media from loading from object storage.
I can think of multiple ways to resolve that, including by proxying the media, but it seems bad to have a default CSP that breaks external S3 storage. |
|
media_src includes assets_host by default, so i'm not sure what the problem could be there. Maybe there's a difference in asset_host and paperclip configuration? |
|
Adding
|
|
@nightpool I'm not sure, but as far as I can tell, assets_host only references my instance's hostname and not the S3 hostname. |
|
Oh yeah, sorry, I have forgot a few fixes. Gonna push them. |
|
So has this been tested with https://csp-evaluator.withgoogle.com/ or other tools? |
|
@rugk yes. I invite you to try out yourself with one of the many 2.6.1 instances out there. |
This is ported from glitch-soc, where this seems to work.
It may have been insufficiently tested with some configurations, though.