Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
From: "Michael Ströder" <>
Subject: [Galene] Re: HTTP security headers
Date: Wed, 13 Jan 2021 16:55:38 +0100	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On 1/13/21 2:47 PM, Juliusz Chroboczek wrote:
>> FWIW: Find below what I've added to my Apache reverse proxy config
>> (sorry, long lines wrapped). Of course 'self' has to be tweaked in case
>> you have a more complex URL routing.
> Any opinions from HTTP specialists?

Tweaked stuff some more:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Content-Security-Policy: base-uri 'self'; child-src 'self'; connect-src
'self'; default-src 'self'; font-src 'self'; form-action 'self';
frame-ancestors 'none'; frame-src 'none'; img-src 'self' data:;
media-src 'self'; object-src 'self'; script-src 'self'; style-src 'self';
Feature-Policy: ambient-light-sensor 'none'; autoplay 'self';
accelerometer 'none'; camera 'self'; display-capture 'none';
document-domain 'none'; encrypted-media 'none'; fullscreen 'none';
geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone
'self'; midi 'none'; payment 'none'; picture-in-picture 'self'; speaker
'self'; sync-xhr 'none'; usb 'none'; wake-lock 'none'; vr 'none'; xr 'none'
Permissions-Policy: geolocation=(none), notifications=(none),
push=(none), midi=(none), camera=(self), microphone=(self),
speaker-selection=(self), device-info=(none), background-fetch=(none),
background-sync=(none), bluetooth=(none), persistent-storage=(none),
ambient-light-sensor=(none), accelerometer=(none), gyroscope=(none),
magnetometer=(none), clipboard-read=(none), clipboard-write=(none),
display-capture=(none), nfc=(none)

Both Feature-Policy and Permissions-Policy are still experimental with
the latter being the replacement for the former.

Permissions-Policy for Media devices:

Permissions-Policy does not have wide support, only Chrome but not
enabled by default:

Feature-Policy seems somewhat supported:

>> It seems to still work ;-).
> On iPad too?  I've needed to relax quite a bit the CSP header in order to
> humour Safari.

Do you have test devices? Then I'd send you a link for testing.

> Did you check if streaming from disk still works?

It works with Chromium. With my Firefox the MIME type cannot be viewed.
Probably missing webm support?

Ciao, Michael.

      reply	other threads:[~2021-01-13 15:55 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-13 13:14 [Galene] " Michael Ströder
2021-01-13 13:47 ` [Galene] " Juliusz Chroboczek
2021-01-13 15:55   ` Michael Ströder [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

  List information:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \
    --subject='[Galene] Re: HTTP security headers' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox