Add manifest-src to Content-Security-Policy header (!780) · Merge requests · F-Droid / Website

Steven McDonald requested to merge stevenmcdonald/fdroid-website:CSP-manifest-src into master Mar 16, 2022

Chrome complains about this in the console:

Refused to load manifest from 'https://f-droid.org/assets/site_J9OLInBmO2hLlutzRFC4mdstNJjL44B6NzBbT0ecmA0=.webmanifest' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'manifest-src' was not explicitly set, so 'default-src' is used as a fallback.

Add manifest-src to Content-Security-Policy header

Merge request reports