Skip to content

add Content-Security-Policy header#1714

Closed
morgankevinj wants to merge 1 commit intonextcloud:masterfrom
morgankevinj:patch-2
Closed

add Content-Security-Policy header#1714
morgankevinj wants to merge 1 commit intonextcloud:masterfrom
morgankevinj:patch-2

Conversation

@morgankevinj
Copy link

@morgankevinj morgankevinj commented Nov 22, 2019

Add "add_header Content-Security-Policy "default-src 'self'" always;" and remove redundant headers

@morgankevinj
add Content-Security-Policy header
792f377 
Add "add_header Content-Security-Policy "default-src 'self'" always;" and remove redundant headers
@skjnldsv
Copy link
Member

skjnldsv commented Nov 22, 2019

Hi,

Our csp settings are managed within nextcloud directly.

remove redundant headers

What do you mean by that?

@morgankevinj
Copy link
Author

morgankevinj commented Nov 23, 2019
edited
Loading

Setting frame-ancestors to 'none' should be roughly equivalent to X-Frame-Options: DENY.
script-src limits scripts so it can replace X-XSS-Protection.
When frame-ancestors and script-src are not declared the policy falls back on default-src.
according to https://content-security-policy.com/#source_list

@skjnldsv
Copy link
Member

skjnldsv commented Nov 23, 2019

cc @rullzer

@rullzer
Copy link
Member

rullzer commented Nov 23, 2019

Nope. We set the csp from nextcloud. Because we need to also set the nonce etc.

@kesselb
Copy link
Contributor

kesselb commented Nov 23, 2019

Thanks @morgankevinj 👍

Unfortunately IE11 is still supported https://github.com/nextcloud/browserslist-config/blob/master/browserlist.config.js

and does not support the frame-ancestors directive https://caniuse.com/#feat=mdn-http_headers_csp_content-security-policy_frame-ancestors

@skjnldsv
Copy link
Member

skjnldsv commented Nov 23, 2019

Closing then :)

@skjnldsv skjnldsv closed this Nov 23, 2019
minecrawler added a commit to minecrawler/documentation that referenced this pull request Sep 29, 2022
@minecrawler
re-apply nextcloud#1714 add Content-Security-Policy header
55290d0
minecrawler added a commit to minecrawler/documentation that referenced this pull request Sep 29, 2022
@minecrawler
re-apply nextcloud#1714 add Content-Security-Policy header
05c3010
@minecrawler minecrawler mentioned this pull request Sep 29, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kesselb kesselb Awaiting requested review from kesselb

@rullzer rullzer Awaiting requested review from rullzer

@blizzz blizzz Awaiting requested review from blizzz

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@morgankevinj @skjnldsv @rullzer @kesselb