I started a discussion about content security policies for Blockstack apps on the GitHub issues for Blockstack.

Here’s the thread: https://github.com/blockstack/blockstack/issues/218

Feel free to jump in and comment.

I’d like to restart this conversation. I’m looking for some guidance on best practices from Blockstack Engineering and more experienced developers.

When I “finished”-ish Note (https://note.riot.ai) I pushed it out with a policy that ended up being too restrictive. After a few iterations, this is where i’ve landed:

/*
Content-Security-Policy: frame-ancestors 'none’
X-Frame-Options: DENY
X-Content-Type-Options:nosniff
Content-Security-Policy: script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https://note.riot.ai; worker-src ‘self’ https://note.riot.ai; frame-ancestors ‘none’ ; form-action ‘self’ ;
X-XSS-Protection: 1; mode=block
/index.html
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: "X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token, Accept-Encoding"
Access-Control-Allow-Methods: “GET”
/static/manifest.json
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: "X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token, Accept-Encoding"
Access-Control-Allow-Methods: “GET”

I’m curious what considerations we should be making for people potentially running these apps with their own gaia hubs. What improvments can I make to the above to make the app more secure?