What Content-Security-Policy should I use with Misago?
Now I use default-src 'self'; script-src 'self' 'unsafe-inline' www.google.com/recaptcha/ www.gstatic.com/recaptcha/; style-src 'self' 'unsafe-inline'; frame-src www.google.com/recaptcha/; block-all-mixed-content;
Is it right? Is all OK without script-src unsafe-eval?
Did I forget about any other domains?
Moving to questions as this seems to be setup question and not dev discussion.
I don't have recommendation here to made. What are you after? Are you afraid of people injecting custom <script> tags on your site?
Yes, I'm afraid of. With my statistics from my other sites (not Misago), ~2% users have any kind of injected script, iframe or other mailware.
What do you mean? 2% of users successfully compromise site by injecting malicious JS?
Not compromised, but that users see unexpected advertisement, which I can not control. This may lead to other site redirecting of password steal.
I prefer not to risk, if I can avoid it.
Well, the bad news is, if user somehow manages to inject the <script> into the site, it'll run under policies that are mandatory for Misago's regular JS to run as well. You may hope to block the most outside scripts, but if <script src="">'s there and its blocked, obvious next move will be to use same way to inject <script>inline stuff</script> instead.
