Hm, question for

has a stricter Content-Security-Policy than Mastodon, and will only allow media from the assets/data hosts, as I thought this would be enough

However, some object storage services people use make use of redirects to other domains (e.g., you request, and there's a 301 to, which doesn't match the CSP.

Should we just do like Mastodon and allow media from anywhere? Or is there something a bit better that we can do?)

(I think the benefits of only allowing specific hosts for media files is rather limited, so I'm ok to get rid of that if it causes headache, but if there's a better way, I'd rather go with it)

@Thib Maybe make it an option activated by default ? :x

@Nocta yeah, you're the second person to suggest that so far, but I'm not sure about it: I'd rather prefer if it would work out of the box and people didn't have to find an obscure setting for it to work :/

I'm wondering if it's worth having this rule at all. afaik the only kind of attack it prevents is like, remote media being used for tracking after an exploit allowing HTML injection has been found, so, idk

@Nocta in the end i'll probably do something like that:

as i currently only know of one such data storage provider solution, and they're especially tailored for Mastodon and forks, so they can document that 🤷

@Thib J'ai pas précisé mais c'était un peu ce que j'avais en tête aussi ^^
C'est le plus propre je pense

Sign in to participate in the conversation
Mastodon (instance perso)

This is a small personal instance running on a couple small ARM servers at home.