From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) by mail.toke.dk (Postfix) with ESMTPS id D2B5C7D4C7C for ; Wed, 27 Jan 2021 23:15:47 +0100 (CET) Authentication-Results: mail.toke.dk; dkim=pass (1536-bit key) header.d=stroeder.com header.i=@stroeder.com header.b=G6Y/Srcf DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stroeder.com; s=stroeder-com-20201114; t=1611785746; bh=u0AbQUf2UIZKqD7TWKeWj7IFx5olXzjUZcccwv3GIqY=; h=Subject:To:References:From:Date:In-Reply-To:From; b=G6Y/SrcfmdcoF3gTL390HQj9sRiSEVQSR7rXyXE/4BPIjn2YU6AMmWSuEKqcojgCf lBs0JffZqsFh5Ai2knhywog5qa3+ekpCgCvFqsY1x45YYtD+YstobVrCv1OfV0jvrK jDr3IH4Q1f6tBLEn8sx0YBnP7N7004blst+POd1u0+BHFyUfdabdzU5Z4Y2pMlmxUK 6D39lcv+LmkXFEr77hFVgT7fdM9hYT/y8vP9YWBCL+pDqe2nFmTR2KF65nV To: galene@lists.galene.org References: <2fdb1db7-27f7-c23d-f2ca-11b9c59db125@stroeder.com> <87pn1q9mc9.wl-jch@irif.fr> <87o8ha9m7g.wl-jch@irif.fr> <87k0ry9l86.wl-jch@irif.fr> <61231ca5-474e-d180-391e-8f0b0ddb77d0@stroeder.com> <87ft2m9hve.wl-jch@irif.fr> From: =?UTF-8?Q?Michael_Str=c3=b6der?= Message-ID: Date: Wed, 27 Jan 2021 23:15:45 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: <87ft2m9hve.wl-jch@irif.fr> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Message-ID-Hash: D5CU2Q3KRI3THTTASFRM44NBHWA4EKOC X-Message-ID-Hash: D5CU2Q3KRI3THTTASFRM44NBHWA4EKOC X-MailFrom: michael@stroeder.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.3.2 Precedence: list Subject: [Galene] Re: "This operation is insecure" List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: On 1/27/21 10:42 PM, Juliusz Chroboczek wrote: >> FWIW the Apache httpd config settings: >=20 >> Header onsuccess unset Content-Security-Policy >> Header always set Content-Security-Policy "base-uri 'self'; child-sr= c >> 'self'; connect-src 'self'; default-src 'self'; font-src 'self'; >> form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src >> 'self' data:; media-src 'self'; object-src 'self'; script-src 'self'; >> style-src 'self';" >=20 >> Note that this worked just fine until recent update. >=20 > I find that suprising. The "wss:" entry in connect-src was added back = in > the spring of 2020 because without it Gal=C3=A8ne wouldn't work on iPad= s. As > to "media-src blob:", streaming videos from disk won't work without it. Sorry for the confusion: I was looking at configuration of the wrong virtual host in my reverse proxy. The virtual host actually used does *not* modify any security headers like Content-Security-Policy. > Perhaps you could explain why you are munging the headers in the fronte= nd. Frankly I was not aware that Gal=C3=A8ne sets Content-Security-Policy. I = will look more closely into that. Nevertheless it's irrelevant for this particular issue. I definitely know that Safari users were successfully using the system before upgrade to commit 9d9db1a92060a3e0ce15021234b8561a3e6bfc49. Ciao, Michael.