Disable CSP by default

CHANGELOG.unreleased.md

@@ -18,6 +18,7 @@ For upgrade instructions, please check the [migration guide](MIGRATIONS.released
 
 ### Changed
 - Datasets stored in WKW format are no longer loaded with memory mapping, reducing memory demands. [#7528](https://github.com/scalableminds/webknossos/pull/7528)
+- Content Security Policy (CSP) settings are now relaxed by default. To keep stricter CSP rules, add them to your specific `application.conf`. [#7589](https://github.com/scalableminds/webknossos/pull/7589)
 - WEBKNOSSOS now uses Java 21. [#7599](https://github.com/scalableminds/webknossos/pull/7599)
 
 

MIGRATIONS.unreleased.md

@@ -7,6 +7,7 @@ User-facing changes are documented in the [changelog](CHANGELOG.released.md).
 
 ## Unreleased
 - WKW datasets can now only be read if they have a `header.wkw` file in their mag directories. If specific datasets can no longer be loaded, consider adding such a file. Backend logging should show according error message. [#7528](https://github.com/scalableminds/webknossos/pull/7528)
+- Content Security Policy (CSP) settings are now relaxed by default. To keep stricter CSP rules, add them to your specific `application.conf`. [#7589](https://github.com/scalableminds/webknossos/pull/7589)
 - The way the segment index is stored for nd-annotations has been changed ([#7411](https://github.com/scalableminds/webknossos/pull/7411)). Annotations with old segment indices should be
 archived if they do not contain relevant data. The following SQL query can be used:
 ```sql

conf/application.conf

@@ -25,23 +25,14 @@ play {
     # Note that the CSP filter is not enabled. We manually add this header ourselves for the
     # main view, using the following config (note that currently only directives are used, not nonce or hashes)
     csp.directives {
-      default-src = "'self'"
-      # In production 'unsafe-inline' should be removed as it is only needed to make the React Dev Tools work in Firefox.
-      # 'unsafe-eval' is needed because many libraries use some form of eval internally.
-      # The sha256 hash refers to the google analytics configuration script in main.scala.html.
-      script-src = "'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com app.olvy.co webknossos.olvy.co *.gstatic.com 'sha256-NA81o2FV8jh0UizSPsBz2qEGpXfap54Eghuo7vxrH8g='"
-      # 'unsafe-inline' is needed, because the olvy script uses inline CSS.
-      style-src = "'self' 'unsafe-inline' *.gstatic.com"
-      # In production ws://localhost:9002 should be removed as it is only needed to make the webpack dev-server work.
-      # api.github.com and gist.github.com are needed for the user script functionality.
-      # All external datastore URLs need to be included here, for example: *.webknossos.org demo.data1-brain.esc.rzg.mpg.de
-      # In addition, the host domain needs to be added as well, for example: *.webknossos.org
-      connect-src = "'self' ws://localhost:9002 app.olvy.co api.github.com gist.github.com *.google-analytics.com api.airbrake.io"
-      frame-src = "'self' webknossos.olvy.co"
-      # *.voxelytics.com is needed for images embedded in Voxelytics reports.
-      img-src = "'self' data: *.googletagmanager.com *.google-analytics.com *.voxelytics.com"
-      media-src = "*.webknossos.org"
-      font-src = "'self' data:"
+      default-src = "* data: mediastream: blob: filesystem: about: ws: wss: 'unsafe-eval' 'wasm-unsafe-eval' 'unsafe-inline'"
+      script-src = "* data: blob: 'unsafe-inline' 'unsafe-eval'"
+      style-src = "'self' 'unsafe-inline' *"
+      connect-src = "* data: blob: 'unsafe-inline'"
+      frame-src = "* data: blob: "
+      img-src = "* data: blob: 'unsafe-inline'"
+      media-src = "* data: blob: 'unsafe-inline'"
+      font-src = "* data: blob: 'unsafe-inline'"
     }
     enabled += "play.filters.headers.SecurityHeadersFilter"
     disabled += "play.filters.csrf.CSRFFilter"