Add fixes for Gravatar

Signed-off-by: Tommy <contact@tommytran.io>
2025-04-19 23:16:05 -04:00 · 2022-12-26 12:30:58 -05:00 · 2022-12-26 12:30:58 -05:00 · ea827f7b40
commit ea827f7b40
parent 9ee00ae034
1 changed files with 16 additions and 3 deletions
--- a/content/posts/linux/Slightly
+++ b/content/posts/linux/Slightly
@ -68,16 +68,29 @@ add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autopl

 Use the following as your [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#:~:text=Content%20Security%20Policy%20(CSP)%20is,site%20defacement%2C%20to%20malware%20distribution.):

+#### If you use Gravatar with SOGo
+
 ```
-add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'";
+add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'";
+```
+
+#### If you do not use Gravatar with SOGo
+
+```
+add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com https://www.gravatar.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'";
 ```

 ### CORP, COEP, COOP

-Mailcow does not use any cross site scripts, images, or documents. Thus, you should set these headers to their strictest configuration:
+Mailcow does not use any cross site scripts, or documents. Thus, you should set CORP and COOP headers to their strictest configuration:

 ```
 add_header Cross-Origin-Opener-Policy same-origin;
-add_header Cross-Origin-Embedder-Policy require-corp;
 add_header Cross-Origin-Resource-Policy same-origin;
+```
+
+If you do not use Gravatar with SOGo, you can also set COEP to require-corp:
+
+```
+add_header Cross-Origin-Embedder-Policy require-corp;
 ```