Error in Content-Security-Policy HTTP header

[louisjc]

There is an error in the Content-Security-Policy HTTP header.
content-security-policy = : script-src 'self'

The value start from ":" but shouldn't, so it is invalid and does not work. I can't make a pull request about it because this concerns nginx configuration which is not accessible in this git.

EDIT: For those who did not know, this header forbidden to load external scripts on the whole site. This protect a page against a cross site scripting attack.

The thing is that the home page Youtube player is loading 3 external js. I think fixing this issue would break the player. To keep both the Content-Security-Policy and the Youtube player, we could white list google's js as follows:

content-security-policy = script-src 'self' s.ytimg.com google.com

[saivann]

@louisjc Thank you very much for catching this issue!

I just fixed the header as follow:
Content-Security-Policy = script-src 'self' 'unsafe-inline';

It turns out that the Youtube video works just fine in IE, FF, CH without using a specific header for Google and Youtube (it's loaded within an iframe).

Maybe this header could be more severe. I haven't really spent much time on it so recommandations are welcome.

[louisjc]

Great!