Cloudron Forum

@archos interesting it knows how to access the old doc to make a new copy. Nice find!

many apps require browser features like javascript eval() for example which would be blocked with the strict rules. This does not automatically mean the app is insecure or so, blindly applying those rules without understanding the apps does not add much benefit there. There are various ways apps can protect unsafe operations besides csp rules. If you are curious about gitea usage here, you can try to tweak them to narrow down the issue or ask upstream.

Cloudron does not set the CSP header unless a custom one is specified in the app configure view in the security page. However apps may set this on their own, either through headers or also as meta tags in the delivered pages. Cloudron does not interfere here. This is however a topic for each app which is not setting those according to your needs.

I don't see how this can be actually used for malicous action regarding the translations, since those are coming in a well-known format and from your server itself, so unless someone intercepts or changes that on the server, nothing much can happen (and if someone can do that, well there are other things one should be worried about) If there are serious concerns around a real security issue, would be great to have that explained if someone is aware.

@fbartels Thank you, that was it! In case anyone else finds this blog post, the updated instructions are here: https://docs.cloudron.io/apps/#custom-csp

This can be done via ContentSecurityPolicy and Cloudron supports this for all apps: https://cloudron.io/documentation/apps/#custom-csp