Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
* [Galene] HTTP security headers
@ 2021-01-13 13:14 Michael Ströder
  2021-01-13 13:47 ` [Galene] " Juliusz Chroboczek
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Ströder @ 2021-01-13 13:14 UTC (permalink / raw)
  To: galene

HI!

FWIW: Find below what I've added to my Apache reverse proxy config
(sorry, long lines wrapped). Of course 'self' has to be tweaked in case
you have a more complex URL routing.

It seems to still work ;-).
It has A+ rating [1].

Please comment if there's something wrong with that.

Ciao, Michael.

[1] https://securityheaders.com

------------------- bite here ---------------
  Header onsuccess unset Content-Security-Policy
  Header always set Content-Security-Policy "base-uri 'self'; child-src
'self'; connect-src 'self'; default-src 'self'; font-src 'self';
form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src
'self' data:; media-src 'self'; object-src 'self'; script-src 'self';
style-src 'self';"
  Header onsuccess unset Feature-Policy
  Header always set Feature-Policy "ambient-light-sensor 'none';
autoplay 'none'; accelerometer 'none'; camera 'self'; display-capture
'none'; document-domain 'none'; encrypted-media 'none'; fullscreen
'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none';
microphone 'self'; midi 'none'; payment 'none'; picture-in-picture
'self'; speaker 'self'; sync-xhr 'none'; usb 'none'; wake-lock 'none';
vr 'none'; xr 'none'"
  Header onsuccess unset Permissions-Policy
  Header always set Permissions-Policy "accelerometer=(), camera=(self),
geolocation=(), gyroscope=(), magnetometer=(), microphone=(self),
payment=(), usb=()"

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Galene] Re: HTTP security headers
  2021-01-13 13:14 [Galene] HTTP security headers Michael Ströder
@ 2021-01-13 13:47 ` Juliusz Chroboczek
  2021-01-13 15:55   ` Michael Ströder
  0 siblings, 1 reply; 3+ messages in thread
From: Juliusz Chroboczek @ 2021-01-13 13:47 UTC (permalink / raw)
  To: Michael Ströder; +Cc: galene

> FWIW: Find below what I've added to my Apache reverse proxy config
> (sorry, long lines wrapped). Of course 'self' has to be tweaked in case
> you have a more complex URL routing.

Any opinions from HTTP specialists?

> It seems to still work ;-).

On iPad too?  I've needed to relax quite a bit the CSP header in order to
humour Safari.

Did you check if streaming from disk still works?

-- Juliusz

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Galene] Re: HTTP security headers
  2021-01-13 13:47 ` [Galene] " Juliusz Chroboczek
@ 2021-01-13 15:55   ` Michael Ströder
  0 siblings, 0 replies; 3+ messages in thread
From: Michael Ströder @ 2021-01-13 15:55 UTC (permalink / raw)
  To: galene

On 1/13/21 2:47 PM, Juliusz Chroboczek wrote:
>> FWIW: Find below what I've added to my Apache reverse proxy config
>> (sorry, long lines wrapped). Of course 'self' has to be tweaked in case
>> you have a more complex URL routing.
> 
> Any opinions from HTTP specialists?

Tweaked stuff some more:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Content-Security-Policy: base-uri 'self'; child-src 'self'; connect-src
'self'; default-src 'self'; font-src 'self'; form-action 'self';
frame-ancestors 'none'; frame-src 'none'; img-src 'self' data:;
media-src 'self'; object-src 'self'; script-src 'self'; style-src 'self';
Feature-Policy: ambient-light-sensor 'none'; autoplay 'self';
accelerometer 'none'; camera 'self'; display-capture 'none';
document-domain 'none'; encrypted-media 'none'; fullscreen 'none';
geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone
'self'; midi 'none'; payment 'none'; picture-in-picture 'self'; speaker
'self'; sync-xhr 'none'; usb 'none'; wake-lock 'none'; vr 'none'; xr 'none'
Permissions-Policy: geolocation=(none), notifications=(none),
push=(none), midi=(none), camera=(self), microphone=(self),
speaker-selection=(self), device-info=(none), background-fetch=(none),
background-sync=(none), bluetooth=(none), persistent-storage=(none),
ambient-light-sensor=(none), accelerometer=(none), gyroscope=(none),
magnetometer=(none), clipboard-read=(none), clipboard-write=(none),
display-capture=(none), nfc=(none)

Both Feature-Policy and Permissions-Policy are still experimental with
the latter being the replacement for the former.

Permissions-Policy for Media devices:
https://w3c.github.io/permissions/#media-devices

Permissions-Policy does not have wide support, only Chrome but not
enabled by default:
https://caniuse.com/permissions-policy

Feature-Policy seems somewhat supported:
https://caniuse.com/feature-policy

>> It seems to still work ;-).
> 
> On iPad too?  I've needed to relax quite a bit the CSP header in order to
> humour Safari.

Do you have test devices? Then I'd send you a link for testing.

> Did you check if streaming from disk still works?

It works with Chromium. With my Firefox the MIME type cannot be viewed.
Probably missing webm support?

Ciao, Michael.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-01-13 15:55 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-13 13:14 [Galene] HTTP security headers Michael Ströder
2021-01-13 13:47 ` [Galene] " Juliusz Chroboczek
2021-01-13 15:55   ` Michael Ströder

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox