Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What?
Add a default CSP that allows anything from the local domain, plus inline styles, data: URIs, and no framing. Plus, a referrer policy that will send a full Referer header to the local origin (thus, not mess with stats etc.), but truncate to strict origin when browsing across origins.
Why?
Including reasonable defaults here for both security and privacy will do the fediverse much good.
I am open to suggestions on what would be a better default. For instance, unsafe-inline for styles bugs me a little but if not, we are breaking emoji as currently implemented, for instance. Similar reasoning goes for data URIs.
Also note that this CSP won't work like this with multi-server / CDN deployments, but I reckon a person who can set up a CDN can figure out how to tweak the CSP.