You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ja...@apache.org on 2021/09/18 14:00:27 UTC

[couchdb-documentation] branch main updated: feat: document new csp stuff

This is an automated email from the ASF dual-hosted git repository.

jan pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git


The following commit(s) were added to refs/heads/main by this push:
     new 9a2b735  feat: document new csp stuff
9a2b735 is described below

commit 9a2b735da0437c508f6bbcee5551ead337e1c56a
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Wed Sep 15 14:39:59 2021 +0200

    feat: document new csp stuff
---
 src/config/misc.rst | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 51 insertions(+), 1 deletion(-)

diff --git a/src/config/misc.rst b/src/config/misc.rst
index e7a10fb..719ca14 100644
--- a/src/config/misc.rst
+++ b/src/config/misc.rst
@@ -218,7 +218,57 @@ Content-Security-Policy
 
 .. config:section:: csp :: Content-Security-Policy
 
-    Experimental support of CSP Headers for ``/_utils`` (Fauxton).
+  You can configure ``Content-Security-Policy`` header for Fauxton, attachments and
+  show/list functions separately. See `MDN Content-Security-Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy>`_
+  for more details on CSP.
+
+    .. config:option:: utils_enable
+
+        Enable the sending of the header ``Content-Security-Policy`` for ``/_utils``.
+        Defaults to ``true``::
+
+            [csp]
+            utils_enable = true
+
+    .. config:option:: utils_header_value
+
+        Specifies the exact header value to send. Defaults to::
+
+            [csp]
+            utils_header_value = default-src 'self'; img-src 'self'; font-src *; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';
+
+    .. config:option:: attachments_enable
+
+        Enable sending the ``Content-Security-Policy`` header for attachments::
+
+            [csp]
+            attachments_enable = true
+
+    .. config:option:: attachments_header_value
+
+        Specifies the exact header value to send. Defaults to::
+
+            [csp]
+            attachments_header_value = sandbox
+
+    .. config:option:: showlist_enable
+
+        Enable sending the ``Content-Security-Policy`` header for show and list functions::
+
+            [csp]
+            showlist_enable = true
+
+    .. config:option:: showlist_header_value
+
+        Specifies the exact header value to send. Defaults to::
+
+            [csp]
+            showlist_header_value = sandbox
+
+    The pre 3.2.0 behaviour is still honoured, but we recommend updating
+    to the new format.
+
+    Experimental support of CSP headers for ``/_utils`` (Fauxton).
 
     .. config:option:: enable