mastrmind11 722 Posted March 29, 2020 Posted March 29, 2020 Are you all making changes directly to the web app, or are you all using proxies? proxy
Shidapu 14 Posted March 30, 2020 Posted March 30, 2020 (edited) Im also a Nginx user, and i have a B+ score, but CSP has been a nightmare.. wan - cloudflare - VPN - Firewall - nginx - servers Edited March 30, 2020 by Shidapu
jachin99 87 Posted March 30, 2020 Posted March 30, 2020 I have actually done this for an IIS site but never anything else. What advantages to you get with cloudfare when your using a proxy anyway? Why nginx over others?
Spaceboy 2565 Posted March 30, 2020 Posted March 30, 2020 I have actually done this for an IIS site but never anything else. What advantages to you get with cloudfare when your using a proxy anyway? Why nginx over others?cloudflare obscures your IP address
pir8radio 1305 Posted March 30, 2020 Author Posted March 30, 2020 Im also a Nginx user, and i have a B+ score, but CSP has been a nightmare.. wan - cloudflare - VPN - Firewall - nginx - servers check out my CSP info page: https://emby.media/community/index.php?/topic/62193-content-security-policy-csp-development/?p=614155 1
Shidapu 14 Posted March 31, 2020 Posted March 31, 2020 (edited) check out my CSP info page: https://emby.media/community/index.php?/topic/62193-content-security-policy-csp-development/?p=614155 Sweet thanks for the link! A+. And working great so far. I also added a report-to line in that code, but not sure if its working, but the URI analyzer says its ok, though haven't gotten any reports yet. I posted in your thread, could you check if my CSP is ok? Edited March 31, 2020 by Shidapu
pir8radio 1305 Posted March 31, 2020 Author Posted March 31, 2020 (edited) Sweet thanks for the link! A+. And working great so far. I also added a report-to line in that code, but not sure if its working, but the URI analyzer says its ok, though haven't gotten any reports yet. I posted in your thread, could you check if my CSP is ok? yes, the "report uri" address sends fails... so if your CSP blocked something the client end would report what was blocked to that url. so if i went to your server and your CSP blocked something on my browser, my browser would know to "report" that block to that url so you could see it in a report. Edited March 31, 2020 by pir8radio 1
Shidapu 14 Posted March 31, 2020 Posted March 31, 2020 yes, the "report uri" address sends fails... so if your CSP blocked something the client end would report what was blocked to that url. so if i went to your server and your CSP blocked something on my browser, my browser would know to "report" that block to that url so you could see it in a report. Yeah thats what i want it to do! A good thing to make some ease of mind for me when playing with CSP in the future. Thanks alot for the good info!
Bartype 1 Posted May 17, 2024 Posted May 17, 2024 Hi, since Mozilla updated their scoring at the observatory, my score went from A+ to D+, only because "Cross-origin Resource Sharing" scores "-50". Is there a way to up it a little again at Mozilla? The Third-party tests (those of them which works) still scores A+.
Luke 40079 Posted May 17, 2024 Posted May 17, 2024 3 hours ago, Bartype said: Hi, since Mozilla updated their scoring at the observatory, my score went from A+ to D+, only because "Cross-origin Resource Sharing" scores "-50". Is there a way to up it a little again at Mozilla? The Third-party tests (those of them which works) still scores A+. I would post here: @pir8radiomay have some thoughts.
Bartype 1 Posted May 17, 2024 Posted May 17, 2024 Well, that would be true if it was CSP, but that doesn't seem to be the case...
Luke 40079 Posted May 17, 2024 Posted May 17, 2024 2 hours ago, Bartype said: Well, that would be true if it was CSP, but that doesn't seem to be the case... The server does respond with Cors headers, so that might be causing that.
Bartype 1 Posted May 18, 2024 Posted May 18, 2024 13 hours ago, Luke said: The server does respond with Cors headers, so that might be causing that. Hmm i tried adding something like "Access-Control-Allow-Origin: *" to the nginx configuration which make it score A+ again. But despite i would say this setting doesn't do much there are some clients, mostly Apple and/or slow internet connections which have problems, keeping buffering or not able to log in anymore...
Luke 40079 Posted May 18, 2024 Posted May 18, 2024 9 hours ago, Bartype said: Hmm i tried adding something like "Access-Control-Allow-Origin: *" to the nginx configuration which make it score A+ again. But despite i would say this setting doesn't do much there are some clients, mostly Apple and/or slow internet connections which have problems, keeping buffering or not able to log in anymore... That's surprising, since the server sometimes adds that. Maybe you're adding it in cases in which the server does something different with it, and overwriting the server value. For best compatibility I would just let the value pass through from Emby Server if you can.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now