guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zer0Cool <>
Subject Re: Nginx Content_Security_Policy?
Date Wed, 08 May 2019 15:56:06 GMT
After further testing and messing about I think I have worked out a policy
that does not break anything but will need more testing:

add_header Content-Security-Policy "default-src 'none'; script-src 'self'
'unsafe-inline' 'unsafe-eval'; connect-src 'self'; object-src 'self';
frame-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline';
font-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors
'self';" always;

It seems like "unsafe-inline", "unsafe-eval" and "data:" are required as
seen above for certain parameters for Guac to function properly.

With the above I am getting a B+ 80/100 score on Mozilla's observatory test
found here: Due to needing to use the
unsafe parameters, I don't think a higher score is possible.

Regardless, it seems that with the current policy there are some benefits so
I will keep testing and see if any refinements are needed to have Guac 100%

Still open to any suggestions or insight as this is new to me. Thanks

Sent from:

View raw message