2024-04-29, 06:19 PM 
		
	
	
		Hey, 
I'm struggeling with a proper solution regarding Jellyfin's Content Security Policy.
My current traefik setup follows the general recommendations from the official Traefik v2 guide , but it's missing a good csp header solution for an A+ website certificate.
This topic also has 5 year old feature requests, but I doubt anything is planned at the moment:
My current config looks like this:
It accomplishes an A+ certificate ( otherwise it's only B ), but I'm unable to resolve the jellyfin subdomain from a browser and the mobile app. The webpage is completely broken, but some apps like the one for Windows and Android TV work.
What should I change in my CSP header config to have a usable webpage untill / if the features get implemented?
	  
	
	
I'm struggeling with a proper solution regarding Jellyfin's Content Security Policy.
My current traefik setup follows the general recommendations from the official Traefik v2 guide , but it's missing a good csp header solution for an A+ website certificate.
This topic also has 5 year old feature requests, but I doubt anything is planned at the moment:
- https://features.jellyfin.org/posts/95/implement-a-safe-content-security-policy 
 
- https://features.jellyfin.org/posts/155/csp-compatibility-some-websecurity-standards 
 
My current config looks like this:
Code:
contentsecuritypolicy: "  base-uri 'none';  connect-src 'self';  default-src 'none';  font-src 'self';  form-action 'self';  frame-ancestors 'none';  frame-src 'self';  img-src 'self';  media-src 'self' data:;  object-src 'none';  script-src 'self';  style-src 'self'"It accomplishes an A+ certificate ( otherwise it's only B ), but I'm unable to resolve the jellyfin subdomain from a browser and the mobile app. The webpage is completely broken, but some apps like the one for Windows and Android TV work.
What should I change in my CSP header config to have a usable webpage untill / if the features get implemented?



