Content-Security-Policy and other security HTTP headers

narcisgarcia · June 11, 2021, 6:51am

Dashboard and other sections don’t show content unless I disable CSP & SOP.
Issue open at:

Content-Security-Policy and other security HTTP headers

opened 04:36AM - 11 Nov 20 UTC

bug stale

I've just installed and started with LibreTime (I don't know how to see version …at web interface) and my website has following HTTP headers set: ``` Header set Strict-Transport-Security "max-age=15768000" Header set X-Content-Type-Options "nosniff" Header set X-Frame-Options "SAMEORIGIN" Header set X-XSS-Protection "1; mode=block" Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'" Header set Referrer-Policy "same-origin" Header set Permissions-Policy "payment=()" ``` Dashboard and other sections don't show content unless I disable completely the CSP line. 1. LibreTime HTML/CSS/JS code should be cleaned to allow a strict website security and approve test in observatory.mozilla.org 2. In the meanwhile, what are the minimum requirements in CSP to LibreTime web interface fully works?

Topic		Replies	Views
LibreTime 3 Beta Todos Dev Talk	21	2818	April 21, 2021
Uncaught DOMException: Blocked a frame with origin "https://music.domain.com" from accessing a cross-origin frame	2	2846	October 19, 2020
Modifying libretime "Radio Page"	18	3720	April 20, 2019
Dark Theme Broken Site Feedback	2	796	January 26, 2018
Is there a way to show current "show logo" Get Help	5	1307	February 1, 2020

Content-Security-Policy and other security HTTP headers

Related topics