Open Changaco opened 6 years ago
Current CSP of GitHub (homepage):
default-src 'none';
base-uri 'self';
child-src render.githubusercontent.com;
connect-src 'self' uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com;
form-action 'self' github.com gist.github.com;
frame-ancestors 'none';
img-src 'self' data: assets-cdn.github.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com;
media-src 'none';
script-src assets-cdn.github.com;
style-src 'unsafe-inline' assets-cdn.github.com
Reticketing from https://github.com/liberapay/liberapay.com/pull/498#pullrequestreview-83973507.
'unsafe-inline'
fromscript-src
'unsafe-inline'
fromstyle-src
form-action 'self'
connect-src
to'self' %(main_domain)s *.liberapay.org *.mangopay.com *.payline.com
img-src
(requires #504)