From: "Michael Ströder" <michael@stroeder.com> To: galene@lists.galene.org Subject: [Galene] Re: "This operation is insecure" Date: Wed, 27 Jan 2021 23:15:45 +0100 [thread overview] Message-ID: <b3b79a0f-394d-6348-c4ee-31036d2f58eb@stroeder.com> (raw) In-Reply-To: <87ft2m9hve.wl-jch@irif.fr> On 1/27/21 10:42 PM, Juliusz Chroboczek wrote: >> FWIW the Apache httpd config settings: > >> Header onsuccess unset Content-Security-Policy >> Header always set Content-Security-Policy "base-uri 'self'; child-src >> 'self'; connect-src 'self'; default-src 'self'; font-src 'self'; >> form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src >> 'self' data:; media-src 'self'; object-src 'self'; script-src 'self'; >> style-src 'self';" > >> Note that this worked just fine until recent update. > > I find that suprising. The "wss:" entry in connect-src was added back in > the spring of 2020 because without it Galène wouldn't work on iPads. As > to "media-src blob:", streaming videos from disk won't work without it. Sorry for the confusion: I was looking at configuration of the wrong virtual host in my reverse proxy. The virtual host actually used does *not* modify any security headers like Content-Security-Policy. > Perhaps you could explain why you are munging the headers in the frontend. Frankly I was not aware that Galène sets Content-Security-Policy. I will look more closely into that. Nevertheless it's irrelevant for this particular issue. I definitely know that Safari users were successfully using the system before upgrade to commit 9d9db1a92060a3e0ce15021234b8561a3e6bfc49. Ciao, Michael.
next prev parent reply other threads:[~2021-01-27 22:15 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-01-27 18:24 [Galene] " Michael Ströder 2021-01-27 18:52 ` [Galene] " Michael Ströder 2021-01-27 20:05 ` Juliusz Chroboczek 2021-01-27 20:08 ` Juliusz Chroboczek 2021-01-27 20:17 ` Michael Ströder 2021-01-27 20:30 ` Juliusz Chroboczek 2021-01-27 21:09 ` Michael Ströder 2021-01-27 21:12 ` Michael Ströder 2021-01-27 21:42 ` Juliusz Chroboczek 2021-01-27 22:15 ` Michael Ströder [this message] 2021-01-28 13:11 ` Michael Ströder 2021-01-28 16:16 ` Michael Ströder 2021-02-01 0:45 ` Juliusz Chroboczek 2021-02-01 9:10 ` Michael Ströder
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/ * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=b3b79a0f-394d-6348-c4ee-31036d2f58eb@stroeder.com \ --to=michael@stroeder.com \ --cc=galene@lists.galene.org \ --subject='[Galene] Re: "This operation is insecure"' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox