I recently did a check with Webbkoll and it showed me the following Content Security Policy header:
default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-xxx';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';worker-src 'self' blob:
However, in my nginx vHost configuration I didn’t set a CSP.
I wanted to treat this topic today, but then I found this. xD
Where does this CSP come from? Where can if modify it, if needed?
I wanted to disallow the Nextcloud News App + Bookmarks App to load images from 3rd party sites.
(In general I want to most restrictive CSP as possible)
img-src 'self' data: blob:
I don’t know exactly what “data” and “blob” means?
How should I modify it to achieve the above?
I hope someone can clarify this.
edit: Another question but regarding the same topic:
I’ve set the
add_header X-Frame-Options deny always;
header, but now the admin panel shows a warning that is is not set to “SAMEORIGIN”.
However, deny should be more secure than sameorigin, right?