clarify the use of 'unsafe-eval' and what the impact removing it has - Firefox users may not care and disable it to improve security
This commit is contained in:
parent
7c61f59dcd
commit
8e27dbff15
|
@ -68,8 +68,17 @@ languageselection = false
|
|||
; custom scripts from third-party domains to your templates, e.g. tracking
|
||||
; scripts or run your site behind certain DDoS-protection services.
|
||||
; Check the documentation at https://content-security-policy.com/
|
||||
; Note: If you use a bootstrap theme, you can remove the allow-popups from the sandbox restrictions.
|
||||
; By default this disallows to load images from third-party servers, e.g. when they are embedded in pastes. If you wish to allow that, you can adjust the policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images for details.
|
||||
; Notes:
|
||||
; - If you use a bootstrap theme, you can remove the allow-popups from the
|
||||
; sandbox restrictions.
|
||||
; - By default this disallows to load images from third-party servers, e.g. when
|
||||
; they are embedded in pastes. If you wish to allow that, you can adjust the
|
||||
; policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
|
||||
; for details.
|
||||
; - The 'unsafe-eval' is used in two cases; to check if the browser supports
|
||||
; async functions and display an error if not and for Chrome to enable
|
||||
; webassembly support (used for zlib compression). You can remove it if Chrome
|
||||
; doesn't need to be supported and old browsers don't need to be warned.
|
||||
; cspheader = "default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals"
|
||||
|
||||
; stay compatible with PrivateBin Alpha 0.19, less secure
|
||||
|
|
Loading…
Reference in New Issue