2024-04-30, 08:09 AM
(This post was last modified: 2024-04-30, 08:14 AM by Partition. Edited 1 time in total.)
(2024-04-30, 05:37 AM)niels Wrote: Those measure tools are just tools. The web frontend for Jellyfin requires inline scripts and data urls so you can't block them in the CSP.
gstatic.com is for chromecast support
youtube.com is for trailers
Thank you for the clarification.
I know that I can't block them in Jellyfins current state, but the goal is to make it as safe as possible without using broad directives that could potentially be abused.
The main.jellyfin.bundle.js is the only file that is referenced in style-src errors while loading without unsafe-inline.
Do you know if this is the only loaded file for the web frontend? Yesterday I was experimenting with the strict-dynamic directive and using hashes for verification, but couldn't get it to work. The strict-dynamic-directive of style-src-attr and style-src-elem in combination of a hash value should allow unsafe-inline, but only from the referenced file with the correct hash.
The only downsite is I have to edit the traefik config when the *.js file gets updated.
Any thoughts about that approach?
Edit: I just noticed you are one of the devs from the android tv app. Great work btw! I came from the Samsung Tizen build and it's a night and day difference to use an official app.