docs(caddy): note future CSP must allow wasm-unsafe-eval for pdf.js
Some checks failed
CI / Unit & Component Tests (pull_request) Failing after 2m57s
CI / OCR Service Tests (pull_request) Successful in 23s
CI / Backend Unit Tests (pull_request) Successful in 3m31s
CI / fail2ban Regex (pull_request) Successful in 44s
CI / Semgrep Security Scan (pull_request) Successful in 21s
CI / Compose Bucket Idempotency (pull_request) Successful in 1m5s
Some checks failed
CI / Unit & Component Tests (pull_request) Failing after 2m57s
CI / OCR Service Tests (pull_request) Successful in 23s
CI / Backend Unit Tests (pull_request) Successful in 3m31s
CI / fail2ban Regex (pull_request) Successful in 44s
CI / Semgrep Security Scan (pull_request) Successful in 21s
CI / Compose Bucket Idempotency (pull_request) Successful in 1m5s
If a Content-Security-Policy is ever added, it must permit 'wasm-unsafe-eval' (script-src) and 'self' blob: (worker-src) or the pdf.js wasm decoders and worker break and scanned PDFs render blank. Forward-looking note so the future CSP author doesn't silently reintroduce #708. Refs #708 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Marcel
@@ -22,6 +22,10 @@
|
||||
# XSS landing in a privileged origin: a payload cannot silently turn
|
||||
# on the microphone or read geolocation.
|
||||
Permissions-Policy "camera=(), microphone=(), geolocation=()"
|
||||
# No Content-Security-Policy is set yet. When one is added, it MUST
|
||||
# include `script-src 'wasm-unsafe-eval'` and `worker-src 'self' blob:`
|
||||
# or the pdf.js WebAssembly image decoders (JBIG2/CCITTFax/JPEG2000)
|
||||
# and worker will be blocked and scanned PDFs render blank. See #708.
|
||||
-Server
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user