Filip/matrix-spec
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-spec synced 2026-02-22 22:13:43 +01:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Recommend a CSP rather than require it.

Browse source
This commit is contained in:
Travis Ralston 2018-08-30 12:13:21 -06:00
parent ec20c43220
commit 440841d1ff
2 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
changelogs/client_server/newsfragments/1600.feature Normal file
View file

@ -0,0 +1 @@
Recommend that servers set a Content Security Policy for the content repository.

7
specification/modules/content_repo.rst
View file

@ -33,10 +33,9 @@ recipient's local homeserver, which must first transfer the content from the
origin homeserver using the same API (unless the origin and destination origin homeserver using the same API (unless the origin and destination
homeservers are the same). homeservers are the same).
When serving content, the server MUST provide a ``Content-Security-Policy`` When serving content, the server SHOULD provide a ``Content-Security-Policy``
header. The policy may be more restrictive, however the minimum policy is header. The recommended policy is ``default-src 'none'; script-src 'none';
``default-src 'none'; script-src 'none'; plugin-types application/pdf; plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self';``.
style-src 'unsafe-inline'; object-src 'self';``.
Client behaviour Client behaviour
---------------- ----------------