Closed pdehaan closed 9 years ago
See #216 #221
Or reassign to @oremj if this is more of an Ops/Nginx jam.
A candidate to test would be to include the following to the appropriate location in nginx.conf
server {
...
location / {
...
add_header X-Content-Security-Policy "allow 'self';script-src:api.tiles.mapbox.com; css-src:api.tiles.mapbox.com";
}
}
closed as part of #292
Maybe the reference is wrong, but #292 does not fix this bug, as well as it does not fix #216. Should this be re-opened?
Risk: medium
Ideally applications, specially new applications, have a strict content security policy. This is not a complicated application and applying a content security policy should be simple. The only page where inline (CSS) code is present is the 404.html, which should be easy to move to a separate CSS file.
The risk is marked medium only because we would really like to see apps use CSP. I don’t think there is a direct danger of not having CSP on this site.
— via https://wiki.mozilla.org/Find_My_Device_Security_Review