We're trying to get Webtorrent to work with Pone 5.
But it appears there is some further tweaking necessary to get Webtorrent to be allowed to run.
We are getting the following error from the embedded code:
[Report Only] Refused to load the script 'https://cdn.jsdelivr.net/webtorrent/latest/webtorrent.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval'".
Here is most of the code: http://pastebin.com/8gNwy3eH
Any ideas what else we need to tweak to allow it to run?
Ah nevermind, it is probably this issue: "The Content Security Policy (CSP) is a powerful mechanism to prevent Cross Site Scripting (XSS) attacks on web sites which accounts for the majority of all security vulnerabilities.
But CSP is off to a slow start and is not implemented on the vast majority of web sites. Perhaps the difficulty implementing CSP is to blame?" - https://embedthis.com/blog/posts/content-security-policy/
Turns out they were trying to run the script bundle from another server/domain.
Hopefully that solves it?
I'm pretty sure an error like that is due to your own proxy server's defined security policies. Plone does not OOTB, define any security policies for loading scripts.
The current policy you seem to have in place is safe but sounds like it's too restrictive for your use-case.
You can try placing that file in your theme/site and loading from there or checking your configuration. If you share your domain, someone here can tell you what header is causing it.
There's a bunch of them
Ignore temptation to change default-src ...
Yes, you're setting
Content-Security-Policy-Report-Only:default-src 'self'; img-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' on your proxy server.
It's report only so I'm pretty sure that shouldn't affect your code.
Okay. It was Nginx getting in the way. I've been running on Apache for so long, and only recently been running into actually using Nginx, so didn't know its quirks.
We'll try setting up webtorrent again later this week, and see if it works with the changes.