From: "Michael Ströder" <michael@stroeder.com>
To: galene@lists.galene.org
Subject: [Galene] Re: HTTP security headers
Date: Wed, 13 Jan 2021 16:55:38 +0100 [thread overview]
Message-ID: <c56c2b40-8ed5-c162-b48b-e438711c491c@stroeder.com> (raw)
In-Reply-To: <87wnwhne3k.wl-jch@irif.fr>
On 1/13/21 2:47 PM, Juliusz Chroboczek wrote:
>> FWIW: Find below what I've added to my Apache reverse proxy config
>> (sorry, long lines wrapped). Of course 'self' has to be tweaked in case
>> you have a more complex URL routing.
>
> Any opinions from HTTP specialists?
Tweaked stuff some more:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Content-Security-Policy: base-uri 'self'; child-src 'self'; connect-src
'self'; default-src 'self'; font-src 'self'; form-action 'self';
frame-ancestors 'none'; frame-src 'none'; img-src 'self' data:;
media-src 'self'; object-src 'self'; script-src 'self'; style-src 'self';
Feature-Policy: ambient-light-sensor 'none'; autoplay 'self';
accelerometer 'none'; camera 'self'; display-capture 'none';
document-domain 'none'; encrypted-media 'none'; fullscreen 'none';
geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone
'self'; midi 'none'; payment 'none'; picture-in-picture 'self'; speaker
'self'; sync-xhr 'none'; usb 'none'; wake-lock 'none'; vr 'none'; xr 'none'
Permissions-Policy: geolocation=(none), notifications=(none),
push=(none), midi=(none), camera=(self), microphone=(self),
speaker-selection=(self), device-info=(none), background-fetch=(none),
background-sync=(none), bluetooth=(none), persistent-storage=(none),
ambient-light-sensor=(none), accelerometer=(none), gyroscope=(none),
magnetometer=(none), clipboard-read=(none), clipboard-write=(none),
display-capture=(none), nfc=(none)
Both Feature-Policy and Permissions-Policy are still experimental with
the latter being the replacement for the former.
Permissions-Policy for Media devices:
https://w3c.github.io/permissions/#media-devices
Permissions-Policy does not have wide support, only Chrome but not
enabled by default:
https://caniuse.com/permissions-policy
Feature-Policy seems somewhat supported:
https://caniuse.com/feature-policy
>> It seems to still work ;-).
>
> On iPad too? I've needed to relax quite a bit the CSP header in order to
> humour Safari.
Do you have test devices? Then I'd send you a link for testing.
> Did you check if streaming from disk still works?
It works with Chromium. With my Firefox the MIME type cannot be viewed.
Probably missing webm support?
Ciao, Michael.
prev parent reply other threads:[~2021-01-13 15:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-13 13:14 [Galene] " Michael Ströder
2021-01-13 13:47 ` [Galene] " Juliusz Chroboczek
2021-01-13 15:55 ` Michael Ströder [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c56c2b40-8ed5-c162-b48b-e438711c491c@stroeder.com \
--to=michael@stroeder.com \
--cc=galene@lists.galene.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox