Merge pull request #1600 from turt2live/travis/c2s/media-csp

Specify the minimum CSP for media
6 years ago · c127eed7e7
parent 73736d41db 440841d1ff
commit c127eed7e7
2 changed files with 5 additions and 0 deletions
--- a/changelogs/client_server/newsfragments/1600.feature
+++ b/changelogs/client_server/newsfragments/1600.feature
@ -0,0 +1 @@
+Recommend that servers set a Content Security Policy for the content repository.
--- a/specification/modules/content_repo.rst
+++ b/specification/modules/content_repo.rst
@ -33,6 +33,10 @@ recipient's local homeserver, which must first transfer the content from the
 origin homeserver using the same API (unless the origin and destination
 homeservers are the same).

+When serving content, the server SHOULD provide a ``Content-Security-Policy``
+header. The recommended policy is ``default-src 'none'; script-src 'none';
+plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self';``.
+
 Client behaviour
 ----------------
				`@ -0,0 +1 @@`
				`Recommend that servers set a Content Security Policy for the content repository.`