Solution for unsecure/mixed content in NC News App


#1

A well known side-effect of RSS news is the fact that it shows mixed content - mainly images, Icons and sometimes blindgifs used as trackers. As workaround I’ve set up my .htaccess file preventing me from everything outside my walled privacy garden. So if you Add these lines below the Do-Not-Change line you shouldn’t see any unsecure 3rd party content:

Header set Content-Security-Policy “frame-ancestors ‘self’; default-src ‘self’; img-src ‘self’ ; object-src ‘self’; style-src ‘self’ ‘unsafe-inline’; script-src ‘self’ ‘unsafe-eval’ ‘unsafe-inline’”

Header set Strict-Transport-Security “max-age=63072000;”

Note: If you’re using external App Servers like Collabra, OnlyOffice or Piwik do not forget to add these into your CSP Policy. And do backup your .htaccess, the next Nextcloud Update could overwrite it.