CSP security changes for the web browser vault:
- remove ‘unsafe-inline’ for style-src and move any css to separate files.
- add object-src ‘none’; to prevent extenstions from injecting embeds.
- specify connect-src *; to be more specific… this is probably the worst of the three.
Wondering about connect-src * in particular… was it too much of a pain? (I know CSP is a pain in general)
This site is being run by the guy who runs haveibeenpwned and his friends. It’s got a great wizard that will catch reports including report-only header reports, and tell you how to make your CSP a lot more tailored.