Anybody using Flarum with CSP headers enabled ? I'm currently configuring my forum to only allow https images loading.
Here are the rules I use (nginx):
add_header Content-Security-Policy "default-src 'self' https://analytics.kilowhat.net; script-src 'self' 'unsafe-inline' https://analytics.kilowhat.net https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://analytics.kilowhat.net https://cdn.jsdelivr.net https:;";
From what I've seen at the moment the following is required for a base Flarum install:
script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com
img-src 'self' https://cdn.jsdelivr.net
fonts.gstatic.com are required to load Google Fonts.
cdn.jsdelivr.net is required to display emojis.
'unsafe-inline' for the styles.
I also have the Analytics extension linked to my Piwik instance on
analytics.kilowhat.net, so I had to add that domain to the default, script and image rules as well.
Then I have my new Emoji Picker extension, which automatically loads emojione libraries from
cdnjs.cloudflare.com (#1). I will need to investigate that, it should probably not happen. The original jquery plugin also use a
data: image in the CSS, which is hidden by my extension but still triggers a CSP message (#2).
The last part is the real reason to write all this:
https: for the images. I will replace this with a CDN when I'll finally use an Upload extension.
Do you have CSP enabled on your server ? What rules did you use ?
I'll create another discussion for my thoughts about inclusion in the core. Link coming.