From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) by mail.toke.dk (Postfix) with ESMTPS id 243AC7D58AF for ; Thu, 28 Jan 2021 17:16:17 +0100 (CET) Authentication-Results: mail.toke.dk; dkim=pass (1536-bit key) header.d=stroeder.com header.i=@stroeder.com header.b=CemeDf63 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stroeder.com; s=stroeder-com-20201114; t=1611850574; bh=GclCXJD2dC6A6LfFLNvP6hm9vV67ONRHyi3rDPLjPSk=; h=Subject:To:References:From:Date:In-Reply-To:From; b=CemeDf63zq2TAOUX54Loj6h5c8ZOwScPU2hVBy/u/tG31ZSoaxcCdwmHLpeEqc5Kl 3shS/0EGzcarji974o/A0mZO7itQGLBx44dYVuftlkmhzQxSL6iACG8EzwLVXsP7+L 7PIuGmJMErk///M1isBI68Q5xTSzp8jR89bSiVM4TPAdFtsg32QRTgft/rw7tQ3ef8 OX9dBpt25wt++mpcfLhBZoId8pI1ErBpMcRdynU0u2wfzHgTxRtBjOzbL3+ To: galene@lists.galene.org References: <2fdb1db7-27f7-c23d-f2ca-11b9c59db125@stroeder.com> <87pn1q9mc9.wl-jch@irif.fr> <87o8ha9m7g.wl-jch@irif.fr> <87k0ry9l86.wl-jch@irif.fr> <61231ca5-474e-d180-391e-8f0b0ddb77d0@stroeder.com> <87ft2m9hve.wl-jch@irif.fr> From: =?UTF-8?Q?Michael_Str=c3=b6der?= Message-ID: <8aea027c-63f9-9600-f084-dd3ebf569ef8@stroeder.com> Date: Thu, 28 Jan 2021 17:16:14 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: <87ft2m9hve.wl-jch@irif.fr> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Message-ID-Hash: IS5J3IAI664MJG6XWIPJYACUBK2Z3V7B X-Message-ID-Hash: IS5J3IAI664MJG6XWIPJYACUBK2Z3V7B X-MailFrom: michael@stroeder.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.3.2 Precedence: list Subject: [Galene] Re: "This operation is insecure" List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: On 1/27/21 10:42 PM, Juliusz Chroboczek wrote: >> FWIW the Apache httpd config settings: >=20 >> Header onsuccess unset Content-Security-Policy >> Header always set Content-Security-Policy "base-uri 'self'; child-sr= c >> 'self'; connect-src 'self'; default-src 'self'; font-src 'self'; >> form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src >> 'self' data:; media-src 'self'; object-src 'self'; script-src 'self'; >> style-src 'self';" >=20 >> Note that this worked just fine until recent update. >=20 > I find that suprising. The "wss:" entry in connect-src was added back = in > the spring of 2020 because without it Gal=C3=A8ne wouldn't work on iPad= s. As > to "media-src blob:", streaming videos from disk won't work without it. Ok, following your advice I've successfully tested normal video conference with an Safari-on-iPad user and the following complete CSP header: Content-Security-Policy: base-uri 'self'; child-src 'self'; connect-src wss: 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' data:; media-src blob: 'self'; object-src 'self'; script-src 'self'; style-src 'self'; Mainly I want to 1. disable frames. 2. limit connect-src to wss: because all traffic must be TLS encrypted. 3. tighten resource loading some more just in case some browsers might not obey default-src 'self'. 4. set a report-uri later. Ciao, Michael.