From 87c9e1a95ca4392e00ed3fdc05c5253cfee01073 Mon Sep 17 00:00:00 2001
From: Thibaud CANALE <thican@thican.net>
Date: Sat, 16 Nov 2024 23:57:39 +0100
Subject: [PATCH] playvideos: updates README.md for CSP instructions

Signed-off-by: Thibaud CANALE <thican@thican.net>
---
 plugins/playvideos/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/playvideos/README.md b/plugins/playvideos/README.md
index 32a94e880..9db53ea0d 100644
--- a/plugins/playvideos/README.md
+++ b/plugins/playvideos/README.md
@@ -13,12 +13,12 @@ This is a default Shaarli plugin, you just have to enable it. See [Shaarli confi
 
 #### Troubleshooting
 
-If your server has [Content Security Policy](http://content-security-policy.com/) headers enabled, this may prevent the script from loading fully. You should relax the CSP in your server settings. Example CSP rule for apache2: 
+If your server has [Content Security Policy](https://content-security-policy.com/) headers enabled, this may prevent the script from loading fully. This plugin only requires to accept content from Youtube servers, so simply allow `https://www.youtube.com` as source for `script-src` and `frame-src` in your server settings. Example CSP rule for apache2:
 
 ```apache
 <Directory /path/to/shaarli>
     # Required for playvideos plugin
-    Header set Content-Security-Policy "script-src 'self' 'unsafe-inline' https://www.youtube.com https://s.ytimg.com 'unsafe-eval'"
+    Header set Content-Security-Policy "default-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; script-src 'self' https://www.youtube.com; connect-src 'self'; frame-src 'self' https://www.youtube.com; img-src 'self'; style-src 'self'; font-src 'self'"
 </Directory>
 ```