Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Add a Content Security Policy #486
It's been a while since I coded things in ruby. But as a first starting point, I browsed lobsters with the Firefox Laboratory Extension that infers a good CSP header for select web pages:
What it inferred was
The page page doesn't seem to use anything fancy, so I'm somewhat confident that it won't break things.
Sounds like a good start. We prohibit images in markdown and locally cache gravatars for privacy, so
Looks like we only have five small inline
I found inline `style=` attributes though. Also images from imgur.com because (at least older posts) allowed images in markdown in the submission text only. Found some older mrta-posts from jcs. But yeah, nothing that can be fixed probably. I'd personally go with something more lax and a stricter one that's report-only.