[tor-bugs] #28783 [Webpages/Website]: Incomplete Content-Security-Policy blocks video on "Set up Relays" page
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Dec 7 15:37:31 UTC 2018
#28783: Incomplete Content-Security-Policy blocks video on "Set up Relays" page
------------------------+----------------------------------
Reporter: darkspirit | Owner: hiro
Type: defect | Status: new
Priority: Medium | Component: Webpages/Website
Version: | Severity: Normal
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------+----------------------------------
Affected page: https://www.torproject.org/getinvolved/relays.html.en
Problem: "No video with supported format and MIME type found"
The video's URL is
https://media.torproject.org/video/2012-03-04-BuildingBridges.ogv and
forbidden by CSP.
Solution: Change
{{{
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src
'self' 'unsafe-inline'
}}}
(https://www.hardenize.com/report/torproject.org/1544035352#www_csp)
to
{{{
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-
inline'; media-src 'self' https://media.torproject.org
}}}
or even to
{{{
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-
inline'; media-src 'self' https://media.torproject.org; frame-ancestors
'self'; block-all-mixed-content; disown-opener; plugin-types
application/pdf; base-uri 'self'
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28783>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list