Default CSP breaks federated media #618
Comments
|
related and not related at the same time, instance having a permissive csp are subject to tracking by inserting a 'pixel' in a blog post, so a good fix would probably be for instances to have a cache for remote medias (or at the very least be a dumb proxy) and serve them by itself, without requiring the client to contact an other server |
|
Agree, a cache or proxy for remote media is probably a good choice, but without that, I'd think unbreaking posts is worth the potential risk of a tracking pixel (since after all, a user who really cares would have an extension like uBlock Origin to block it). |
|
I have been testing my own CSP, but Google Chrome recently (maybe not so recently) added something that blocks wasm resources outright. Works in all other browsers though: My actual apache line: |
|
@iamdoubz Try to update it to for the moment (I didn't tested, but reading the error message, it may fix your issue). We probably need to update the config files in the docs to avoid this issue (or maybe we could provide the CSP header directly from Plume?). |
|
The 'wasm-eval' directive is only implemented to Chrome apps. So, you get a warning telling you that the directive does not exist. Also, I don't think putting a default CSP into the server configuration would be a great idea. If a user wants to change from the defaults, it would be easier for them to change it they that they may or may not be used to i.e. from Apache etc. See this discussion for more info: WebAssembly/content-security-policy#7 |
Look at this post: https://fediverse.blog/~/EveryFediverseInstance/peertube.social-instance-review-peer-tube on any other instance: https://cafe.sunbeam.city/~/[email protected]/peertube.social-instance-review-peer-tube and the media will not load. This is because the media is hotlinked to the original instance, but the strict content security policy doesn't allow it to be loaded
The text was updated successfully, but these errors were encountered: