|
|
|
@ -96,14 +96,14 @@ server {
|
|
|
|
set $fontSrc "'self' data: ${main_domain}";
|
|
|
|
set $fontSrc "'self' data: ${main_domain}";
|
|
|
|
|
|
|
|
|
|
|
|
# images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
|
|
|
|
# images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
|
|
|
|
set $imgSrc "'self' data: * blob: ${main_domain}";
|
|
|
|
set $imgSrc "'self' data: blob: ${main_domain} ${sandbox_domain}";
|
|
|
|
|
|
|
|
|
|
|
|
# frame-src specifies valid sources for nested browsing contexts.
|
|
|
|
# frame-src specifies valid sources for nested browsing contexts.
|
|
|
|
# this prevents loading any iframes from anywhere other than the sandbox domain
|
|
|
|
# this prevents loading any iframes from anywhere other than the sandbox domain
|
|
|
|
set $frameSrc "'self' ${sandbox_domain} blob:";
|
|
|
|
set $frameSrc "'self' ${sandbox_domain} blob:";
|
|
|
|
|
|
|
|
|
|
|
|
# specifies valid sources for loading media using video or audio
|
|
|
|
# specifies valid sources for loading media using video or audio
|
|
|
|
set $mediaSrc "'self' data: * blob: ${main_domain}";
|
|
|
|
set $mediaSrc "'self' data: blob: ${main_domain} ${sandbox_domain}";
|
|
|
|
|
|
|
|
|
|
|
|
# defines valid sources for webworkers and nested browser contexts
|
|
|
|
# defines valid sources for webworkers and nested browser contexts
|
|
|
|
# deprecated in favour of worker-src and frame-src
|
|
|
|
# deprecated in favour of worker-src and frame-src
|
|
|
|
|
ansuz
3 years ago