From 440841d1ffd0f3d4398019da26e61e7340cd12ef Mon Sep 17 00:00:00 2001
From: Travis Ralston <travpc@gmail.com>
Date: Thu, 30 Aug 2018 12:13:21 -0600
Subject: [PATCH] Recommend a CSP rather than require it.

---
 changelogs/client_server/newsfragments/1600.feature | 1 +
 specification/modules/content_repo.rst              | 7 +++----
 2 files changed, 4 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/client_server/newsfragments/1600.feature

diff --git a/changelogs/client_server/newsfragments/1600.feature b/changelogs/client_server/newsfragments/1600.feature
new file mode 100644
index 00000000..142a67b2
--- /dev/null
+++ b/changelogs/client_server/newsfragments/1600.feature
@@ -0,0 +1 @@
+Recommend that servers set a Content Security Policy for the content repository.
diff --git a/specification/modules/content_repo.rst b/specification/modules/content_repo.rst
index f6da38ff..51cf999a 100644
--- a/specification/modules/content_repo.rst
+++ b/specification/modules/content_repo.rst
@@ -33,10 +33,9 @@ recipient's local homeserver, which must first transfer the content from the
 origin homeserver using the same API (unless the origin and destination
 homeservers are the same).
 
-When serving content, the server MUST provide a ``Content-Security-Policy``
-header. The policy may be more restrictive, however the minimum policy is
-``default-src 'none'; script-src 'none'; plugin-types application/pdf; 
-style-src 'unsafe-inline'; object-src 'self';``.
+When serving content, the server SHOULD provide a ``Content-Security-Policy``
+header. The recommended policy is ``default-src 'none'; script-src 'none';
+plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self';``.
 
 Client behaviour
 ----------------