From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mail.toke.dk; spf=pass (mailfrom) smtp.mailfrom=irif.fr (client-ip=2001:660:3301:8000::1:2; helo=korolev.univ-paris7.fr; envelope-from=jch@irif.fr; receiver=<UNKNOWN>)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2])
	by mail.toke.dk (Postfix) with ESMTPS id 131047D4C20
	for <galene@lists.galene.org>; Wed, 27 Jan 2021 22:42:34 +0100 (CET)
Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1])
	by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 10RLgVOm001749
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
	Wed, 27 Jan 2021 22:42:31 +0100
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253])
	by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/82085) with ESMTP id 10RLgVRB015679;
	Wed, 27 Jan 2021 22:42:31 +0100
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1])
	by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 8861BABE17;
	Wed, 27 Jan 2021 22:42:31 +0100 (CET)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1])
	by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023)
	with ESMTP id gIosT0XfMBzp; Wed, 27 Jan 2021 22:42:29 +0100 (CET)
Received: from pirx.irif.fr (unknown [78.194.40.74])
	(Authenticated sender: jch)
	by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id D3BB7ABE14;
	Wed, 27 Jan 2021 22:42:29 +0100 (CET)
Date: Wed, 27 Jan 2021 22:42:29 +0100
Message-ID: <87ft2m9hve.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Michael =?ISO-8859-1?Q?Str=F6der?= <michael@stroeder.com>
In-Reply-To: <61231ca5-474e-d180-391e-8f0b0ddb77d0@stroeder.com>
References: <c76be9d1-01f6-03ab-62cc-efba9760dec3@stroeder.com>
	<2fdb1db7-27f7-c23d-f2ca-11b9c59db125@stroeder.com>
	<87pn1q9mc9.wl-jch@irif.fr>
	<87o8ha9m7g.wl-jch@irif.fr>
	<b07b046c-4253-8201-df7a-abad48650e9d@stroeder.com>
	<87k0ry9l86.wl-jch@irif.fr>
	<e775e8f6-09c5-51bc-edba-412f6b7e72e0@stroeder.com>
	<61231ca5-474e-d180-391e-8f0b0ddb77d0@stroeder.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.1 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=ISO-8859-1
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Wed, 27 Jan 2021 22:42:31 +0100 (CET)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Wed, 27 Jan 2021 22:42:31 +0100 (CET)
X-Miltered: at korolev with ID 6011DE47.001 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-Miltered: at potemkin with ID 6011DE47.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 6011DE47.001 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/<jch@irif.fr>
X-j-chkmail-Enveloppe: 6011DE47.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 6011DE47.001 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Score: MSGID : 6011DE47.000 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
X-j-chkmail-Status: Ham
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 3FXHO3ZXLLDOSIOPZZJGUHBZY3JZQLDM
X-Message-ID-Hash: 3FXHO3ZXLLDOSIOPZZJGUHBZY3JZQLDM
X-MailFrom: jch@irif.fr
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header
CC: galene@lists.galene.org
X-Mailman-Version: 3.3.2
Precedence: list
Subject: [Galene] Re: "This operation is insecure"
List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= <galene.lists.galene.org>
Archived-At: <https://lists.galene.org/galene/87ft2m9hve.wl-jch@irif.fr/>
List-Archive: <https://lists.galene.org/galene/>
List-Help: <mailto:galene-request@lists.galene.org?subject=help>
List-Post: <mailto:galene@lists.galene.org>
List-Subscribe: <mailto:galene-join@lists.galene.org>
List-Unsubscribe: <mailto:galene-leave@lists.galene.org>

> FWIW the Apache httpd config settings:

>   Header onsuccess unset Content-Security-Policy
>   Header always set Content-Security-Policy "base-uri 'self'; child-src
> 'self'; connect-src 'self'; default-src 'self'; font-src 'self';
> form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src
> 'self' data:; media-src 'self'; object-src 'self'; script-src 'self';
> style-src 'self';"

> Note that this worked just fine until recent update.

I find that suprising.  The "wss:" entry in connect-src was added back in
the spring of 2020 because without it Gal=E8ne wouldn't work on iPads.  A=
s
to "media-src blob:", streaming videos from disk won't work without it.

Perhaps you could explain why you are munging the headers in the frontend=
.
Is there an actual attack that you're concerned about?  If so, then we
should think together about avoiding the attack, rather than having each
user use their own idiosyncratic set of security-related headers.

-- Juliusz