Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content Security Policy #28169

Closed
nicheosala opened this issue Nov 22, 2023 · 1 comment
Closed

Content Security Policy #28169

nicheosala opened this issue Nov 22, 2023 · 1 comment
Labels
type/proposal The new feature has not been accepted yet but needs to be discussed first.

Comments

@nicheosala
Copy link

nicheosala commented Nov 22, 2023
edited
Loading

Feature Description

This is the HTTP header of the Content Security Policy that I am currently leveraging for my Gitea instance:

default-src 'none'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'

According to CSP Evaluator, this is a good policy, with the exception of the script-src 'unsafe-inline' rule, the presence of which is classified like: "High severity finding" (and for good reason).

I know that eliminating that rule is not easy at all. I have encountered many GitHub issues regarding Gitea's CSP.

However, in my opinion, it would be a good idea to write a web page showing the best CSP policy available for Gitea.

If you can suggest a more restrictive policy than the one above, which does not compromise the functioning of Gitea, the advice is very welcome.

Screenshots

No response
@nicheosala nicheosala added the type/proposal The new feature has not been accepted yet but needs to be discussed first. label Nov 22, 2023
@silverwind
Copy link
Member

Duplicate of #305

@silverwind silverwind marked this as a duplicate of #305 Nov 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@silverwind @nicheosala