Github user robertkowalski commented on a diff in the pull request:
https://github.com/apache/couchdb/pull/233#discussion_r12776674
--- Diff: src/couchdb/couch_httpd_misc_handlers.erl ---
@@ -79,6 +80,15 @@ handle_utils_dir_req(#httpd{method='GET'}=Req,
DocumentRoot) ->
handle_utils_dir_req(Req, _) ->
send_method_not_allowed(Req, "GET,HEAD").
+maybe_add_csp_headers(Headers, "false") ->
+ Headers;
+maybe_add_csp_headers(Headers, "true") ->
+ DefaultValues = "default-src 'self'; img-src *; font-src *; " ++
--- End diff --
Good questions! Here are the points I found:
- Regarding fonts: we are loading currently fonts from a netdna cdn, I want
to remove this already in https://issues.apache.org/jira/browse/COUCHDB-2238
- `unsafe-eval`: our dependency lodash needs it for the templating if I
remember right
- img-src will have a look again and change it, if everything works
- style-src: we are having a lot of inline styles where we depend on,
sometimes it is not that easy to remove them
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
