You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@couchdb.apache.org by ja...@apache.org on 2021/09/15 12:40:10 UTC

[couchdb-documentation] branch feat/csp created (now 3c2c5c1)

This is an automated email from the ASF dual-hosted git repository.

jan pushed a change to branch feat/csp
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git.


      at 3c2c5c1  feat: document new csp stuff

This branch includes the following new commits:

     new 3c2c5c1  feat: document new csp stuff

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[couchdb-documentation] 01/01: feat: document new csp stuff

Posted by ja...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

jan pushed a commit to branch feat/csp
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git

commit 3c2c5c1e8c0f994368747e31735026aa9149deec
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Wed Sep 15 14:39:59 2021 +0200

    feat: document new csp stuff
---
 src/config/misc.rst | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 51 insertions(+), 1 deletion(-)

diff --git a/src/config/misc.rst b/src/config/misc.rst
index e7a10fb..000d860 100644
--- a/src/config/misc.rst
+++ b/src/config/misc.rst
@@ -218,7 +218,57 @@ Content-Security-Policy
 
 .. config:section:: csp :: Content-Security-Policy
 
-    Experimental support of CSP Headers for ``/_utils`` (Fauxton).
+  You can configure ``Content-Security-Policy`` header for Fauxton, attachments and
+  show/list functions separately. See `MDN Content-Security-Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy>`_
+  for more details on CSP.
+
+    .. config:option:: utils_enable
+
+        Enable the sending of the header ``Content-Security-Policy``. Defaults
+        to ``true``::
+
+            [csp]
+            utils_enable = true
+
+    .. config:option:: utils_header_value
+
+        Specifies the exact header value to send. Defaults to::
+
+            [csp]
+            utils_header_value = default-src 'self'; img-src 'self'; font-src *; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';
+
+    .. config:option:: attachments_enable
+
+        Enable sending the ``Content-Security-Policy`` header for attachments::
+
+            [csp]
+            attachments_enable = true
+
+    .. config:option:: attachments_header_value
+
+        Specifies the exact header value to send. Defaults to::
+
+            [csp]
+            attachments_header_value = sandbox
+
+    .. config:option:: showlist_enable
+
+        Enable sending the ``Content-Security-Policy`` header for show and list functions::
+
+            [csp]
+            showlist_enable = true
+
+    .. config:option:: showlist_header_value
+
+        Specifies the exact header value to send. Defaults to::
+
+            [csp]
+            showlist_header_value = sandbox
+
+    The pre 3.2.0 behaviour is still honoured, but we recommend updating
+    to the new format.
+
+    Experimental support of CSP headers for ``/_utils`` (Fauxton).
 
     .. config:option:: enable