scyDec 29

Suppose you'd like to inject custom JavaScript into your @owncast server.

Its admin interface allows you to provide custom JavaScript, but you'd like to load a .js file from some other server, not paste hundreds of lines into a text box.

It also allows you to provide custom Markdown, allowing arbitrary HTML, too. But the page is served with a rather strict #CSP, with a nonce and script-src 'self'.

How would you work around this?

#WebDev #Owncast

Show threadscyDec 29
The best approach I can currently think of would be to change the Content-Security-Policy header in the reverse proxy, loosening security enough to allow loading my custom <script> tag.
Show threadSaphira Lohikäärmekettunen Dec 29
@scy this or have the reverse proxy also reverse proxy the extra JS so it's on the same host
Show threadscy
@littlefox The latter doesn't solve the CSP nonce though.
Dec 29 at 11:13amWeb
Show threadSaphira Lohikäärmekettunen Dec 29
@scy right. Sorry
Show threadMalte StretzDec 29
@scy
My CSP knowledge is a bit rusty but IIRC the 'nonce' doesn't apply to externally loaded scripts, ie. the 'self' in combination with
@littlefox suggestion should work? (Unless that extra 'strict' or whatever it was called stanca is set.)