Adding Content-Security-Policy (CSP) to website to protect users against XSS attacks

[ghost]

This CSP can be easily added in github pages as explained here and would add more security to the site by protecting users against XSS attacks.

[andrewdavidwong]

Cool! Thanks for pointing this out.

I think we'd just want 'self' for everything. Is there an easy way to do that for all directives, or must we specify each one?

CC @marmarek

[marmarek]

• https://www.qubes-os.org/statistics/ loads image from https://tools.qubes-os.org/
• https://www.qubes-os.org/video-tours/ loads youtube

There may be more. Hmm, what is this?! Not so careful grep doesn't reveal anything else.

[iamahuman]

Hmm, what is this?! Not so careful grep doesn't reveal anything else.

Permalink: https://github.com/QubesOS/qubesos.github.io/blob/f04cbc292c64c3422d5096c9059f36335c4249f0/_includes/head.html#L99-L104

IE<10 doesn't support CSP, so I suppose it can be ignored. That is, if IE is still a thing.