update Content Security Policy based on Mozilla Observatory (!167) · Merge requests · F-Droid / Website

Hans-Christoph Steiner requested to merge eighthave/fdroid-website:update-csp into master Jan 10, 2018

https://observatory.mozilla.org/analyze.html?host=f-droid.org

Tested on https://staging.f-droid.org and looking for errors in Firefox's Browser Console. I also looked at github.com's Content Security Policy:

        default-src 'none';
        base-uri 'self';
        block-all-mixed-content;
        child-src render.githubusercontent.com;
        connect-src 'self' uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com;
        font-src assets-cdn.github.com;
        form-action 'self' github.com gist.github.com;
        frame-ancestors 'none';
        img-src 'self' data: assets-cdn.github.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com;
        media-src 'none';
        script-src assets-cdn.github.com;
        style-src 'unsafe-inline' assets-cdn.github.com

update Content Security Policy based on Mozilla Observatory

Merge request reports