Added notes about CSP for Nginx reverse proxy

Also added: frame-ancestors 'self' which is the CSP equivelent to X-Frame-Options sameorigin
jellyfin-archive · Oct 18, 2019 · a5c0339 · a5c0339
1 parent 991fd82
commit a5c0339
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/general/administration/reverse-proxy.md b/general/administration/reverse-proxy.md
@@ -128,7 +128,9 @@ server {
 #
 #    # Content Security Policy
 #    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
-#    add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js; worker-src 'self' blob:; connect-src 'self'; object-src 'none'";
+#    # Enforces https content and restricts JS/CSS to origin
+#    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+#    add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
 #
 #    location / {
 #        # Proxy main Jellyfin traffic