#GlitchSoc has a stricter Content-Security-Policy than Mastodon, and will only allow media from the assets/data hosts, as I thought this would be enough
However, some object storage services people use make use of redirects to other domains (e.g., you request https://data.storage.foo, and there's a 301 to https://actual.storage.foo), which doesn't match the CSP.
Should we just do like Mastodon and allow media from anywhere? Or is there something a bit better that we can do?)
(I think the benefits of only allowing specific hosts for media files is rather limited, so I'm ok to get rid of that if it causes headache, but if there's a better way, I'd rather go with it)
@Thib Maybe make it an option activated by default ? :x
@Nocta yeah, you're the second person to suggest that so far, but I'm not sure about it: I'd rather prefer if it would work out of the box and people didn't have to find an obscure setting for it to work :/
I'm wondering if it's worth having this rule at all. afaik the only kind of attack it prevents is like, remote media being used for tracking after an exploit allowing HTML injection has been found, so, idk
@Thib J'ai pas précisé mais c'était un peu ce que j'avais en tête aussi ^^
C'est le plus propre je pense
This is a small personal instance running on a couple small ARM servers at home.