wholetrans/docs-matrix-spec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #1600 from turt2live/travis/c2s/media-csp

Browse source 
Specify the minimum CSP for media
This commit is contained in:
Travis Ralston 2018-08-31 08:32:33 -06:00 committed by GitHub
commit c127eed7e7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
changelogs/client_server/newsfragments/1600.feature Normal file
View file

@ -0,0 +1 @@
Recommend that servers set a Content Security Policy for the content repository.

4
specification/modules/content_repo.rst
View file

@ -33,6 +33,10 @@ recipient's local homeserver, which must first transfer the content from the
origin homeserver using the same API (unless the origin and destination origin homeserver using the same API (unless the origin and destination
homeservers are the same). homeservers are the same).
When serving content, the server SHOULD provide a ``Content-Security-Policy``
header. The recommended policy is ``default-src 'none'; script-src 'none';
plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self';``.
Client behaviour Client behaviour
---------------- ----------------