playvideos: updates README.md for CSP instructions

Signed-off-by: Thibaud CANALE <[email protected]>
shaarli · Nov 17, 2024 · 87c9e1a · 87c9e1a
1 parent 0cc6372
commit 87c9e1a
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/plugins/playvideos/README.md b/plugins/playvideos/README.md
@@ -13,12 +13,12 @@ This is a default Shaarli plugin, you just have to enable it. See [Shaarli confi
 
 #### Troubleshooting
 
-If your server has [Content Security Policy](http://content-security-policy.com/) headers enabled, this may prevent the script from loading fully. You should relax the CSP in your server settings. Example CSP rule for apache2: 
+If your server has [Content Security Policy](https://content-security-policy.com/) headers enabled, this may prevent the script from loading fully. This plugin only requires to accept content from Youtube servers, so simply allow `https://www.youtube.com` as source for `script-src` and `frame-src` in your server settings. Example CSP rule for apache2:
 
 ```apache
 <Directory /path/to/shaarli>
     # Required for playvideos plugin
-    Header set Content-Security-Policy "script-src 'self' 'unsafe-inline' https://www.youtube.com https://s.ytimg.com 'unsafe-eval'"
+    Header set Content-Security-Policy "default-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; script-src 'self' https://www.youtube.com; connect-src 'self'; frame-src 'self' https://www.youtube.com; img-src 'self'; style-src 'self'; font-src 'self'"
 </Directory>
 ```