Which outsource scripts are used by Flarum? ( CSP )

fakruzaruret

I am trying to configure nginx file for CSP. I want to add some reliable websites to CSP whitelist like ajax.googleapis bootstrap etc.
I don't know that Which outsource CDNs etc are used by Flarum. How can I configure Flarum I dont know exactly. I am new about CSP.

tankerkiller125

Firefox has an excellent tool that can help with this https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/ because flarum supports extensions, some extensions may add extra external sources, so even though someone could possibly give you a CSP record that works for them it's not guaranteed to work for your site.

Once you've generated a CSP you'll need to add the Content-Security-Policy using your web server of choice (Apache, Nginx, Caddy, etc.)

The discuss forum could theoretically use the following header as their CSP:

Content-Security-Policy:    default-src 'none'; connect-src 'self' wss://ws-mt1.pusher.com; font-src 'self'; img-src https:; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdnjs.cloudflare.com https://js.pusher.com https://stats.pusher.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com

You'll notice that pusher is an extension that you may or may not use along with google analytics.