2024-04-29, 06:19 PM
Hey,
I'm struggeling with a proper solution regarding Jellyfin's Content Security Policy.
My current traefik setup follows the general recommendations from the official Traefik v2 guide , but it's missing a good csp header solution for an A+ website certificate.
This topic also has 5 year old feature requests, but I doubt anything is planned at the moment:
My current config looks like this:
It accomplishes an A+ certificate ( otherwise it's only B ), but I'm unable to resolve the jellyfin subdomain from a browser and the mobile app. The webpage is completely broken, but some apps like the one for Windows and Android TV work.
What should I change in my CSP header config to have a usable webpage untill / if the features get implemented?
I'm struggeling with a proper solution regarding Jellyfin's Content Security Policy.
My current traefik setup follows the general recommendations from the official Traefik v2 guide , but it's missing a good csp header solution for an A+ website certificate.
This topic also has 5 year old feature requests, but I doubt anything is planned at the moment:
- https://features.jellyfin.org/posts/95/implement-a-safe-content-security-policy
- https://features.jellyfin.org/posts/155/csp-compatibility-some-websecurity-standards
My current config looks like this:
Code:
contentsecuritypolicy: " base-uri 'none'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'self'; img-src 'self'; media-src 'self' data:; object-src 'none'; script-src 'self'; style-src 'self'"It accomplishes an A+ certificate ( otherwise it's only B ), but I'm unable to resolve the jellyfin subdomain from a browser and the mobile app. The webpage is completely broken, but some apps like the one for Windows and Android TV work.
What should I change in my CSP header config to have a usable webpage untill / if the features get implemented?