No worries at all: I appreciate your help in banging on the alpha build, and I suspect this will trip up more people.
Is there a safe way I can default to making things “work by default”, I wonder?
For reference, v2.1 now has the following CSP/CORS/ “web security” settings:
-
upgradeInsecureRequests, if true, adds the upgrade-insecure-requests CSP directive. If false, the directive is omitted. CSP linters suggest that it be included. -
cspReportOnly, if true, uses theContent-Security-Policy-Report-Onlyheader rather than the standardContent-Security-Policy. CSP violations are only reported. This should only be set to true temporarily for debugging CSP errors. -
enableWebSecurity: this defaults to true if you use--exposeorexposeNetworkWithoutAuth=true. If explicitly set tofalse, it changes the default ofcspReportOnlyto true andupgradeInsecureRequeststo false. If you’re accessing your PhotoStructure library via the web interface, you want this set totrue.
So, with that out of the way–perhaps I default upgradeInsecureRequests to false?
After explaining this, I think enableWebSecurity is too confusing and complicated: I’m going to delete it.
Related: did people know that there’s a trustProxy setting? It currently defaults to false because I’m chicken, but I think defaulting it to loopback might be almost as safe of a default. More defaults about trustProxy are here.