Skip to content

add Content-Security-Policy header #1714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
morgankevinj wants to merge 1 commit into from
Closed

add Content-Security-Policy header #1714

morgankevinj wants to merge 1 commit into from

Conversation

@morgankevinj
Copy link

@morgankevinj morgankevinj commented Nov 22, 2019

Add "add_header Content-Security-Policy "default-src 'self'" always;" and remove redundant headers

@morgankevinj
add Content-Security-Policy header
792f377 
Add "add_header Content-Security-Policy "default-src 'self'" always;" and remove redundant headers
@skjnldsv
Copy link
Member

skjnldsv commented Nov 22, 2019

Hi,

Our csp settings are managed within nextcloud directly.

remove redundant headers

What do you mean by that?

@morgankevinj
Copy link
Author

morgankevinj commented Nov 23, 2019
edited
Loading

Setting frame-ancestors to 'none' should be roughly equivalent to X-Frame-Options: DENY.
script-src limits scripts so it can replace X-XSS-Protection.
When frame-ancestors and script-src are not declared the policy falls back on default-src.
according to https://content-security-policy.com/#source_list

@skjnldsv
Copy link
Member

skjnldsv commented Nov 23, 2019

cc @rullzer

@rullzer
Copy link
Member

rullzer commented Nov 23, 2019

Nope. We set the csp from nextcloud. Because we need to also set the nonce etc.

@kesselb
Copy link
Contributor

kesselb commented Nov 23, 2019

Thanks @morgankevinj 👍

Unfortunately IE11 is still supported https://github.com/nextcloud/browserslist-config/blob/master/browserlist.config.js

and does not support the frame-ancestors directive https://caniuse.com/#feat=mdn-http_headers_csp_content-security-policy_frame-ancestors

@skjnldsv
Copy link
Member

skjnldsv commented Nov 23, 2019

Closing then :)

@skjnldsv skjnldsv closed this Nov 23, 2019
minecrawler added a commit to minecrawler/documentation that referenced this pull request Sep 29, 2022
@minecrawler
re-apply nextcloud#1714 add Content-Security-Policy header
55290d0
minecrawler added a commit to minecrawler/documentation that referenced this pull request Sep 29, 2022
@minecrawler
re-apply nextcloud#1714 add Content-Security-Policy header
05c3010
@minecrawler minecrawler mentioned this pull request Sep 29, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kesselb kesselb Awaiting requested review from kesselb

@rullzer rullzer Awaiting requested review from rullzer

@blizzz blizzz Awaiting requested review from blizzz

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@morgankevinj @skjnldsv @rullzer @kesselb