Is CSP applicable to Emby ?

[Leahkim 8]

Hello folks

I'm keen on: is it possible to use a restrictive CSP (Content Security Policy) with emby ?

I tried to apply the 'best practice' CSP header to my reverse proxy:

Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'"

But I found some movies weren't readable anymore (why not all, I don't know), while the full configuration pane is working except the Emby Premiere page (and it disables premiere so).

No special logs displayed, the only error displayed in a loop was: (but I still have it without CSP, and all is working)

Quote

2024-10-23 22:27:39.065 Info Server: http/1.1 Response 404 to PUBLIC_IP. Time: 0ms. GET http://PRIVATE_IP:8096/emby/embywebsocket?api_key=API_KEY&deviceId=ac5c20b47d89157e

Looking the source from the page content gave this list, added to my URL:

github.com: many PNG files to display icons (firefox, chrome, android, etc.) eg. https://github.com/MediaBrowser/Emby.Resources/raw/master/images/devices/chrome.png

All these redirect 302 to raw.githubusercontent.com.

mediabrowser.github.io: EmbyTV icon (https://mediabrowser.github.io/Emby.AndroidTv/appicon.png)
mb3admin.com: getStatus script call (https://mb3admin.com/admin/service/registration/getStatus)

So, my question is: is Emby available with a (more) restrictive CSP than the default empty one ?

Is it planned in the future to embed all these icons to allow only the licence check as an external resource ? I understand this one obviously needs an external access.

 

Thanks in advance !

Edited October 24, 2024 by Leahkim
correction

[Luke 42077]

Hi, you'll find some good advice on that here:

 

[Leahkim 8]

Thanks, I searched for this kind of posts but didn't got it.