Jitsi-meet: Content-Security-Policy needs 'unsave-inline'

Created on 1 Mar 2018 · 9Comments · Source: jitsi/jitsi-meet

jitsi-meet does not work, when CSP is set in webserver config file.
It is necessary to allow _unsave-inline_ otherwise it will not start.
This option leads to a less good testresult, for example try this: https://securityheaders.io/

Please fix it.

By the way:
Your own test result at
https://securityheaders.io/?q=https%3A%2F%2Fmeet.jit.si%2F&followRedirects=on
looks pretty bad. Maybe you want to set some header options?

web

Source

MotoGP-Fan

👍1

Most helpful comment

I would like to see this issue reopened. I had to disable my webserver's default restrictive Content-Security-Policy to allow Jitsi Meet to work.

At least the recommended server configuration (https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet/jitsi-meet.example-apache) should include a value for this header (it does indeed need unsafe-inline to work - at least).

That is the easy part, removing the need for this exception could come in a second time.

Thanks

nodiscc on 12 Apr 2020

👍3

All 9 comments

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] on 3 Dec 2018

I would like to see this issue reopened. I had to disable my webserver's default restrictive Content-Security-Policy to allow Jitsi Meet to work.

That is the easy part, removing the need for this exception could come in a second time.

Thanks

nodiscc on 12 Apr 2020

👍3

Providing the right CSP headers with the install and mentioned in the docs would be very nice indeed, as well as a fix for unsafe-inline.

pojlFDlxCOvZ4Kg8y1l4 on 29 Apr 2020

👍1

ping @damencho as you seem to be maintaining the apache example file

nodiscc on 1 May 2020

A PR is welcome as I don't have much experience with apache ... Thanks.

damencho on 1 May 2020

I have added these headers and that works for us. We use NGINX and not Apache.

server {
...
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security_Policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.google-analytics.com; script-src 'self' 'unsafe-inline' https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtag/js https://unpkg.com; style-src 'self' 'unsafe-inline'; object-src 'none'";
...
}

For Apache the code needs to go in httpd.conf:

<IfModule mod_headers.c>
  <Directory />
    Header always set X-XSS-Protection "1; mode=block"
    Header always set x-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set Content-Security-Policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.google-analytics.com; script-src 'self' 'unsafe-inline' https://www.google-analytics.com/analytics.js https://www.googletagmanager.com/gtag/js https://unpkg.com; style-src 'self' 'unsafe-inline'; object-src 'none';"
    Header always set Referrer-Policy "strict-origin"
  </Directory>
</IfModule>

echristiaans on 13 May 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] on 16 Aug 2020

/unstale

I think @echristiaans' configuration is correct, will try to test it when time allows

nodiscc on 16 Aug 2020

@damencho can you reopen? I still have this on my radar

nodiscc on 12 Sep 2020

Was this page helpful?

0 / 5 - 0 ratings