From 8e27dbff15690dd9032f0f3e254e5f7cecbe12dd Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 19 Sep 2019 19:24:28 +0200 Subject: [PATCH] clarify the use of 'unsafe-eval' and what the impact removing it has - Firefox users may not care and disable it to improve security --- cfg/conf.sample.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/cfg/conf.sample.php b/cfg/conf.sample.php index 3decc5c8..0f2d50d5 100644 --- a/cfg/conf.sample.php +++ b/cfg/conf.sample.php @@ -68,8 +68,17 @@ languageselection = false ; custom scripts from third-party domains to your templates, e.g. tracking ; scripts or run your site behind certain DDoS-protection services. ; Check the documentation at https://content-security-policy.com/ -; Note: If you use a bootstrap theme, you can remove the allow-popups from the sandbox restrictions. -; By default this disallows to load images from third-party servers, e.g. when they are embedded in pastes. If you wish to allow that, you can adjust the policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images for details. +; Notes: +; - If you use a bootstrap theme, you can remove the allow-popups from the +; sandbox restrictions. +; - By default this disallows to load images from third-party servers, e.g. when +; they are embedded in pastes. If you wish to allow that, you can adjust the +; policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images +; for details. +; - The 'unsafe-eval' is used in two cases; to check if the browser supports +; async functions and display an error if not and for Chrome to enable +; webassembly support (used for zlib compression). You can remove it if Chrome +; doesn't need to be supported and old browsers don't need to be warned. ; cspheader = "default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals" ; stay compatible with PrivateBin Alpha 0.19, less secure