Version 2.1.0-alpha.1 is ready for testing!

No worries at all: I appreciate your help in banging on the alpha build, and I suspect this will trip up more people.

Is there a safe way I can default to making things “work by default”, I wonder?

For reference, v2.1 now has the following CSP/CORS/ “web security” settings:

  • upgradeInsecureRequests, if true, adds the upgrade-insecure-requests CSP directive. If false, the directive is omitted. CSP linters suggest that it be included.

  • cspReportOnly, if true, uses the Content-Security-Policy-Report-Only header rather than the standard Content-Security-Policy. CSP violations are only reported. This should only be set to true temporarily for debugging CSP errors.

  • enableWebSecurity: this defaults to true if you use --expose or exposeNetworkWithoutAuth=true. If explicitly set to false, it changes the default of cspReportOnly to true and upgradeInsecureRequests to false. If you’re accessing your PhotoStructure library via the web interface, you want this set to true.

So, with that out of the way–perhaps I default upgradeInsecureRequests to false?

After explaining this, I think enableWebSecurity is too confusing and complicated: I’m going to delete it.

Related: did people know that there’s a trustProxy setting? It currently defaults to false because I’m chicken, but I think defaulting it to loopback might be almost as safe of a default. More defaults about trustProxy are here.