From e3182864046cb08d2791c518c826137844473444 Mon Sep 17 00:00:00 2001 From: David Baker Date: Mon, 10 Dec 2018 17:33:04 +0000 Subject: [PATCH] Add 'sandbox' to recommended CSP header --- specification/modules/content_repo.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/specification/modules/content_repo.rst b/specification/modules/content_repo.rst index 51cf999a..e7bdb044 100644 --- a/specification/modules/content_repo.rst +++ b/specification/modules/content_repo.rst @@ -34,8 +34,9 @@ origin homeserver using the same API (unless the origin and destination homeservers are the same). When serving content, the server SHOULD provide a ``Content-Security-Policy`` -header. The recommended policy is ``default-src 'none'; script-src 'none'; -plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self';``. +header. The recommended policy is ``sandbox; default-src 'none'; script-src +'none'; plugin-types application/pdf; style-src 'unsafe-inline'; object-src +'self';``. Client behaviour ----------------