From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113])
	by mail.toke.dk (Postfix) with ESMTPS id 2324F7D4BB5
	for <galene@lists.galene.org>; Wed, 27 Jan 2021 22:12:31 +0100 (CET)
Authentication-Results: mail.toke.dk;
	dkim=pass (1536-bit key) header.d=stroeder.com header.i=@stroeder.com header.b=lvKPNfJs
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stroeder.com;
	s=stroeder-com-20201114; t=1611781950;
	bh=qRS8VuEfMLgTb3/cshV1+9qj3uesreCw3Ya7tRzgT+8=;
	h=Subject:From:To:References:Date:In-Reply-To:From;
	b=lvKPNfJseDTxLs18kb9P35Xld6kPNiYvq5h4oj/j/fvk4rF9eG8099+LHmkTSU4/7
	 o6bZXzViQGGvrCAAfhaVYWAPFMROfF1FjQpbRC65EnYwK5hjBYpc8NzQvhgJsz42Cx
	 /KnMXCcy0MaI33kY/oBImqB2Vy2AJVxThoek1Do99J370A8HW7lxJYpWNeT2VF8FwV
	 X/OgZNbFB0ceINVGQwVqnbjGrAKX8nhBquLe9b//hF4fO3rzxLtp1ijhlSY
From: =?UTF-8?Q?Michael_Str=c3=b6der?= <michael@stroeder.com>
To: galene@lists.galene.org
References: <c76be9d1-01f6-03ab-62cc-efba9760dec3@stroeder.com>
 <2fdb1db7-27f7-c23d-f2ca-11b9c59db125@stroeder.com>
 <87pn1q9mc9.wl-jch@irif.fr> <87o8ha9m7g.wl-jch@irif.fr>
 <b07b046c-4253-8201-df7a-abad48650e9d@stroeder.com>
 <87k0ry9l86.wl-jch@irif.fr>
 <e775e8f6-09c5-51bc-edba-412f6b7e72e0@stroeder.com>
Message-ID: <61231ca5-474e-d180-391e-8f0b0ddb77d0@stroeder.com>
Date: Wed, 27 Jan 2021 22:12:30 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.6.1
MIME-Version: 1.0
In-Reply-To: <e775e8f6-09c5-51bc-edba-412f6b7e72e0@stroeder.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: YWPMN5TWOZTLL4RUZPA5CRD7DXVCM2UN
X-Message-ID-Hash: YWPMN5TWOZTLL4RUZPA5CRD7DXVCM2UN
X-MailFrom: michael@stroeder.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header
X-Mailman-Version: 3.3.2
Precedence: list
Subject: [Galene] Re: "This operation is insecure"
List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= <galene.lists.galene.org>
Archived-At: <https://lists.galene.org/galene/61231ca5-474e-d180-391e-8f0b0ddb77d0@stroeder.com/>
List-Archive: <https://lists.galene.org/galene/>
List-Help: <mailto:galene-request@lists.galene.org?subject=help>
List-Post: <mailto:galene@lists.galene.org>
List-Subscribe: <mailto:galene-join@lists.galene.org>
List-Unsubscribe: <mailto:galene-leave@lists.galene.org>

On 1/27/21 10:09 PM, Michael Str=C3=B6der wrote:
> On 1/27/21 9:30 PM, Juliusz Chroboczek wrote:
>>>>> It looks like some versions of Mobile Safari don't like our
>>>>> Content-Security-Policy header.
>>>>
>>>> Did the user try to enable a filter?
>>
>>> Probably not.
>>
>> Hmm... are you running behind a reverse proxy?  Is the reverse proxy
>> modifying our CSP header?
>=20
> Yes.

FWIW the Apache httpd config settings:

  Header onsuccess unset Content-Security-Policy
  Header always set Content-Security-Policy "base-uri 'self'; child-src
'self'; connect-src 'self'; default-src 'self'; font-src 'self';
form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src
'self' data:; media-src 'self'; object-src 'self'; script-src 'self';
style-src 'self';"

Note that this worked just fine until recent update.

Ciao, Michael.