After further testing and messing about I think I have worked out a policy that does not break anything but will need more testing:
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; object-src 'self'; frame-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'self';" always; It seems like "unsafe-inline", "unsafe-eval" and "data:" are required as seen above for certain parameters for Guac to function properly. With the above I am getting a B+ 80/100 score on Mozilla's observatory test found here: https://observatory.mozilla.org. Due to needing to use the unsafe parameters, I don't think a higher score is possible. Regardless, it seems that with the current policy there are some benefits so I will keep testing and see if any refinements are needed to have Guac 100% functional. Still open to any suggestions or insight as this is new to me. Thanks -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
