From 14afcc44161fb6b61a3949edcb536c4d226f40e5 Mon Sep 17 00:00:00 2001
From: Simon Eisenmann <simon@struktur.de>
Date: Fri, 21 Nov 2014 11:59:57 +0100
Subject: [PATCH] Added CSP suggestions and example.

---
 server.conf.in | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/server.conf.in b/server.conf.in
index 8eae0180..1555d3ce 100644
--- a/server.conf.in
+++ b/server.conf.in
@@ -102,8 +102,16 @@ serverRealm = local
 ; examples.
 ;plugin = extra/static/myplugin.js
 ; Content-Security-Policy HTTP response header value.
+; Spreed WebRTC requires inline styles, WebSocket connection to itself and
+; data: URL for images.
+; The currently recommended CSP is:
+;   default-src 'self';
+;   style-src 'self' 'unsafe-inline';
+;   img-src 'self' data:;
+;   connect-src 'self' wss://server:port/ws;
 ;contentSecurityPolicy =
-; Content-Security-Policy-Report-Only HTTP response header value.
+; Content-Security-Policy-Report-Only HTTP response header value. Use this
+; to test your CSP before putting it into production.
 ;contentSecurityPolicyReportOnly =
 
 [log]