Merge pull request #1600 from turt2live/travis/c2s/media-csp

Specify the minimum CSP for media
This commit is contained in:
Travis Ralston 2018-08-31 08:32:33 -06:00 committed by GitHub
commit c127eed7e7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 0 deletions

View file

@ -0,0 +1 @@
Recommend that servers set a Content Security Policy for the content repository.

View file

@ -33,6 +33,10 @@ recipient's local homeserver, which must first transfer the content from the
origin homeserver using the same API (unless the origin and destination
homeservers are the same).
When serving content, the server SHOULD provide a ``Content-Security-Policy``
header. The recommended policy is ``default-src 'none'; script-src 'none';
plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self';``.
Client behaviour
----------------