From ec20c43220d0683d7f25514cbe0e8a2ddd4a43d8 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travpc@gmail.com>
Date: Wed, 29 Aug 2018 10:55:34 -0600
Subject: [PATCH] Specify the minimum CSP for media

Fixes https://github.com/matrix-org/matrix-doc/issues/1066
---
 specification/modules/content_repo.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/specification/modules/content_repo.rst b/specification/modules/content_repo.rst
index 0f1a9944..f6da38ff 100644
--- a/specification/modules/content_repo.rst
+++ b/specification/modules/content_repo.rst
@@ -33,6 +33,11 @@ recipient's local homeserver, which must first transfer the content from the
 origin homeserver using the same API (unless the origin and destination
 homeservers are the same).
 
+When serving content, the server MUST provide a ``Content-Security-Policy``
+header. The policy may be more restrictive, however the minimum policy is
+``default-src 'none'; script-src 'none'; plugin-types application/pdf; 
+style-src 'unsafe-inline'; object-src 'self';``.
+
 Client behaviour
 ----------------