From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) by mail.toke.dk (Postfix) with ESMTPS id AE6D77CAB38 for ; Wed, 13 Jan 2021 16:55:40 +0100 (CET) Authentication-Results: mail.toke.dk; dkim=pass (1536-bit key) header.d=stroeder.com header.i=@stroeder.com header.b=SB+Zzfe2 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stroeder.com; s=stroeder-com-20201114; t=1610553338; bh=nHpJjzNHTV9GS3Btr4e89lfgrYtND9v7XEh+T8YBTr0=; h=Subject:To:References:From:Date:In-Reply-To:From; b=SB+Zzfe27+9Ze+Vk1/ylePC9t439GrkRki+DeQIkeEPe5yt2heLkMjaRX3ZOn3xLy 3AZtZ1n9V0eq1H9kWFhwTwouPnEPFaGctMjAIUoH/uarBN64TdboCxciQ9P3AUCUfs Av+bT59HyuzMEevMmgJ/FRjK+NwijOnZJfgx8jfG5uuSPlHBWnyhUMLPkM+NpdkFAe O9+1LV+LkcNObyUyRtMUyCFn9GV7mUwQ9MuldZhb2CpUWraiHAhWzEmZ+Sh To: galene@lists.galene.org References: <07523639-ddbe-0c35-0c83-56cbd3ab8ea8@stroeder.com> <87wnwhne3k.wl-jch@irif.fr> From: =?UTF-8?Q?Michael_Str=c3=b6der?= Message-ID: Date: Wed, 13 Jan 2021 16:55:38 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <87wnwhne3k.wl-jch@irif.fr> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Message-ID-Hash: AZTAZ436VJKXSN6EHIQEMXYOJBT7USDC X-Message-ID-Hash: AZTAZ436VJKXSN6EHIQEMXYOJBT7USDC X-MailFrom: michael@stroeder.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.3.2 Precedence: list Subject: [Galene] Re: HTTP security headers List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: On 1/13/21 2:47 PM, Juliusz Chroboczek wrote: >> FWIW: Find below what I've added to my Apache reverse proxy config >> (sorry, long lines wrapped). Of course 'self' has to be tweaked in case >> you have a more complex URL routing. > > Any opinions from HTTP specialists? Tweaked stuff some more: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Content-Security-Policy: base-uri 'self'; child-src 'self'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' data:; media-src 'self'; object-src 'self'; script-src 'self'; style-src 'self'; Feature-Policy: ambient-light-sensor 'none'; autoplay 'self'; accelerometer 'none'; camera 'self'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'self'; midi 'none'; payment 'none'; picture-in-picture 'self'; speaker 'self'; sync-xhr 'none'; usb 'none'; wake-lock 'none'; vr 'none'; xr 'none' Permissions-Policy: geolocation=(none), notifications=(none), push=(none), midi=(none), camera=(self), microphone=(self), speaker-selection=(self), device-info=(none), background-fetch=(none), background-sync=(none), bluetooth=(none), persistent-storage=(none), ambient-light-sensor=(none), accelerometer=(none), gyroscope=(none), magnetometer=(none), clipboard-read=(none), clipboard-write=(none), display-capture=(none), nfc=(none) Both Feature-Policy and Permissions-Policy are still experimental with the latter being the replacement for the former. Permissions-Policy for Media devices: https://w3c.github.io/permissions/#media-devices Permissions-Policy does not have wide support, only Chrome but not enabled by default: https://caniuse.com/permissions-policy Feature-Policy seems somewhat supported: https://caniuse.com/feature-policy >> It seems to still work ;-). > > On iPad too? I've needed to relax quite a bit the CSP header in order to > humour Safari. Do you have test devices? Then I'd send you a link for testing. > Did you check if streaming from disk still works? It works with Chromium. With my Firefox the MIME type cannot be viewed. Probably missing webm support? Ciao, Michael.