From ec20c43220d0683d7f25514cbe0e8a2ddd4a43d8 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Wed, 29 Aug 2018 10:55:34 -0600 Subject: [PATCH 1/2] Specify the minimum CSP for media Fixes https://github.com/matrix-org/matrix-doc/issues/1066 --- specification/modules/content_repo.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/specification/modules/content_repo.rst b/specification/modules/content_repo.rst index 0f1a9944f..f6da38fff 100644 --- a/specification/modules/content_repo.rst +++ b/specification/modules/content_repo.rst @@ -33,6 +33,11 @@ recipient's local homeserver, which must first transfer the content from the origin homeserver using the same API (unless the origin and destination homeservers are the same). +When serving content, the server MUST provide a ``Content-Security-Policy`` +header. The policy may be more restrictive, however the minimum policy is +``default-src 'none'; script-src 'none'; plugin-types application/pdf; +style-src 'unsafe-inline'; object-src 'self';``. + Client behaviour ---------------- From 440841d1ffd0f3d4398019da26e61e7340cd12ef Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Thu, 30 Aug 2018 12:13:21 -0600 Subject: [PATCH 2/2] Recommend a CSP rather than require it. --- changelogs/client_server/newsfragments/1600.feature | 1 + specification/modules/content_repo.rst | 7 +++---- 2 files changed, 4 insertions(+), 4 deletions(-) create mode 100644 changelogs/client_server/newsfragments/1600.feature diff --git a/changelogs/client_server/newsfragments/1600.feature b/changelogs/client_server/newsfragments/1600.feature new file mode 100644 index 000000000..142a67b25 --- /dev/null +++ b/changelogs/client_server/newsfragments/1600.feature @@ -0,0 +1 @@ +Recommend that servers set a Content Security Policy for the content repository. diff --git a/specification/modules/content_repo.rst b/specification/modules/content_repo.rst index f6da38fff..51cf999a3 100644 --- a/specification/modules/content_repo.rst +++ b/specification/modules/content_repo.rst @@ -33,10 +33,9 @@ recipient's local homeserver, which must first transfer the content from the origin homeserver using the same API (unless the origin and destination homeservers are the same). -When serving content, the server MUST provide a ``Content-Security-Policy`` -header. The policy may be more restrictive, however the minimum policy is -``default-src 'none'; script-src 'none'; plugin-types application/pdf; -style-src 'unsafe-inline'; object-src 'self';``. +When serving content, the server SHOULD provide a ``Content-Security-Policy`` +header. The recommended policy is ``default-src 'none'; script-src 'none'; +plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self';``. Client behaviour ----------------