[
https://issues.apache.org/jira/browse/COUCHDB-2238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14001233#comment-14001233
]
ASF GitHub Bot commented on COUCHDB-2238:
-----------------------------------------
Github user robertkowalski commented on a diff in the pull request:
https://github.com/apache/couchdb/pull/233#discussion_r12776674
--- Diff: src/couchdb/couch_httpd_misc_handlers.erl ---
@@ -79,6 +80,15 @@ handle_utils_dir_req(#httpd{method='GET'}=Req,
DocumentRoot) ->
handle_utils_dir_req(Req, _) ->
send_method_not_allowed(Req, "GET,HEAD").
+maybe_add_csp_headers(Headers, "false") ->
+ Headers;
+maybe_add_csp_headers(Headers, "true") ->
+ DefaultValues = "default-src 'self'; img-src *; font-src *; " ++
--- End diff --
Good questions! Here are the points I found:
- Regarding fonts: we are loading currently fonts from a netdna cdn, I want
to remove this already in https://issues.apache.org/jira/browse/COUCHDB-2238
- `unsafe-eval`: our dependency lodash needs it for the templating if I
remember right
- img-src will have a look again and change it, if everything works
- style-src: we are having a lot of inline styles where we depend on,
sometimes it is not that easy to remove them
> Do not reference netdna CDN for Font Awesome icons in production
> ----------------------------------------------------------------
>
> Key: COUCHDB-2238
> URL: https://issues.apache.org/jira/browse/COUCHDB-2238
> Project: CouchDB
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Fauxton
> Reporter: Robert Kowalski
>
> I just noticed while I was sitting in the train without internet, hacking on
> Fauxton, that I did not have many icons:
> We are currently referencing to Font-Awesome on a CDN in variables.less,
> which is basically nice, but some users of CouchDB are firewalled at work and
> can just use the local network.
> Additionally offline people without internet can't use Fauxton then.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
