PeerTube icon indicating copy to clipboard operation
PeerTube copied to clipboard
verified publisher icon Chocobozzz

Missing “script-src-attr” Content-Security-Policy

Open DanWin opened this issue 2 years ago • 0 comments

Describe the current behavior

When enabling CSP, the following issue is reported: Content-Security-Policy: The page’s settings observed the loading of a resource at inline (“script-src-attr”). A CSP report is being sent. Disabling report-only mode breaks the page.

Steps to reproduce

  1. Install latest peertube 6.0.2
  2. Enable CSP
  3. Open the website and observe above error message

Describe the expected behavior

Enabling CSP should not break functionality. A script-src-attr policy should be added to achieve this, most likely it will need to allow "unsafe-inline".

Additional information

  • PeerTube instance:

    • URL: https://crimes.media/
    • Version: 6.0.2
    • NodeJS version: v21.5.0

  • Browser name, version and platforms on which you could reproduce the bug: Current Firefox and Chrome versions in Ubuntu

DanWin avatar Jan 15 '24 10:01 DanWin