-
Notifications
You must be signed in to change notification settings - Fork 146
Refactor Content-Security-Policy in .htaccess #811
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -1,13 +1,15 @@ | ||||||
| ErrorDocument 404 /404.html | ||||||
|
|
||||||
| <IfModule mod_headers.c> | ||||||
| Header always set Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline'; \ | ||||||
| frame-src 'self' https://www.youtube.com https://player.bilibili.com https://hcaptcha.com https://*.hcaptcha.com; \ | ||||||
| script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://hcaptcha.com https://*.hcaptcha.com; \ | ||||||
| Header always set Content-Security-Policy "default-src 'self'; \ | ||||||
| script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://*.hcaptcha.com; \ | ||||||
| connect-src 'self' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://*.hcaptcha.com; \ | ||||||
| style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; \ | ||||||
| img-src 'self' data: https://hcaptcha.com https://*.hcaptcha.com; \ | ||||||
| frame-ancestors 'self'; \ | ||||||
| frame-src 'self' https://www.youtube.com https://player.bilibili.com https://*.hcaptcha.com; \ | ||||||
| style-src 'self' 'unsafe-inline' https:; \ | ||||||
|
||||||
| style-src 'self' 'unsafe-inline' https:; \ | |
| style-src 'self' 'unsafe-inline' https://js.hcaptcha.com https://*.hcaptcha.com; \ |
Copilot
AI
Jan 25, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The img-src directive has been changed from specific hcaptcha domains to a broad https: wildcard, which allows loading images from any HTTPS source. This loosens security compared to the previous configuration.
While this provides flexibility, it reduces protection against potential image-based attacks or data exfiltration. If the application only needs images from specific known domains, consider restricting this to those domains rather than allowing all HTTPS sources. This is particularly important for user-facing applications where malicious actors might exploit this to load tracking pixels or other unwanted content.
| img-src 'self' data: https:; \ | |
| img-src 'self' data: https://js.hcaptcha.com https://*.hcaptcha.com; \ |
Copilot
AI
Jan 25, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The newly added font-src directive allows fonts from any HTTPS source with the broad https: wildcard. This is quite permissive and could potentially be exploited.
If the application uses fonts from specific sources (like Google Fonts, Adobe Fonts, or specific CDNs), consider listing only those specific domains instead of allowing all HTTPS sources. If custom fonts are only served from your own domain, font-src 'self' data: would be more secure.
| font-src 'self' data: https:; \ | |
| font-src 'self' data:; \ |
Copilot
AI
Jan 25, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The newly added media-src directive allows media from any HTTPS source with the broad https: wildcard. This is quite permissive.
If the application serves media from specific sources (like your own domain or specific CDNs), consider listing only those specific domains instead of allowing all HTTPS sources. If media is only served from your own domain, media-src 'self' would be more secure. Note that video embeds from YouTube and Bilibili are already covered by frame-src, so media-src is for direct audio/video elements.
| media-src 'self' https:; \ | |
| media-src 'self'; \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
default-srcdirective has been significantly tightened from'self' https: data: 'unsafe-inline'to just'self'. While this is generally more secure, it means that any resource types without explicit directives will now be restricted to same-origin only.Missing explicit directives that may be needed:
worker-src- for web workers (if used)manifest-src- for web app manifests (if used)child-src- for workers and nested browsing contexts (deprecated but may be needed for compatibility)Please verify that the application doesn't use any resource types that aren't covered by the explicit directives now defined (script-src, connect-src, frame-src, style-src, img-src, font-src, media-src, object-src). Without the broader
default-srcfallback, these resources will be blocked.