Support more than one recommended CSP (Content Security Policy)

[elrido]

With the introduction of the bootstrap5 template in PrivateBin 1.7.2, the CSP has to be relaxed a little, to display the SVG images in the buttons. This leads to the situation, that in 1.7.2 & 1.7.3, some instances get listed with non-recommended CSP (and ranked lower), if they use the (non-default, at this time) bootstrap5 template and relaxed CSP settings.

Long term, when bootstrap5 becomes the default template, we will want to change the recommended CSP. So it will in any case make sense to support at least version-dependent CSPs.

Optionally, for the versions that do include both bootstrap5 and at least one other template, it could make sense to either tolerate multiple CSP recommendations, or ideally only tolerate the relaxed CSP if the bootstrap5 template is used. Similarly, we did always suggest, that when using the bootstrap template, the allow-popups policy can be omitted. It seems unlikely anyone ever did that, since most instances pass the current CSP check and use that template.

Here is a complete list of versions and CSPs recommended for them:

• before 1.0: arguably, we shouldn't rate older versions of PrivateBin/ZeroBin negatively if they have none
• 1.0, introduced CSPs: default-src 'none'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:;
• 1.1 & 1.1.1, oldest instance still in the directory with CSP: default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; referrer no-referrer;
• 1.2 - 1.2.3: default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; media-src data:; object-src data:; Referrer-Policy: 'no-referrer'; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals
• 1.3: default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals
• 1.3.1 - 1.3.4: default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals
• 1.3.5: default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads
• 1.4 - 1.7.3: default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads
• 1.7.2 & 1.7.3 with bootstrap5: default-src 'self'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-modals allow-downloads

[elrido]

resolved in 4cf545a / release 0.11.0