DoublePipe 
Over the recent months we have been working towards enabling a Content Security Policy on the site. This is a security mechanism which can be used to reduce the harm of XSS attacks and cross-site information leaks. It works mainly by locking down the locations from where external resources can be loaded.
While the specification states that browsers should not let it affect user-provided resources like userscripts, this does not appear to be the case in practice. This means that your script may require some changes in order to keep functioning. The most likely consequences you could run into will be the following:
While the specification states that browsers should not let it affect user-provided resources like userscripts, this does not appear to be the case in practice. This means that your script may require some changes in order to keep functioning. The most likely consequences you could run into will be the following:
- You will not be able to load inline images from domains other than the current one, or derpicdn.net. You’ll need to load them inside your script or insert them as ‘data:’ URIs.
- You will not be able to load scripts from other domains by including a script tag, or insert inline scripts on the site. Your userscript must load any external scripts that you need.
We have set up a subdomain with the CSP already enabled. Make sure you test your scripts at: https://nqnm.derpibooru.org. You can see potential CSP-warnings in the console of your browser developer tools. We figured we would give you this caution before we enable it. In order to give you plenty of time to make the changes required, we’ll start enforcing it on the real site at April 10th.
The policy we plan to use is the following:
@block-all-mixed-content;
child-src ‘self’ www.google.com/recaptcha/;
connect-src ‘self’;
default-src ‘none’;
disown-opener;
font-src derpicdn.net;
form-action ‘self’;
frame-ancestors ‘none’;
frame-src ‘self’ www.google.com/recaptcha/;
img-src ‘self’ data: derpicdn.net camo.derpicdn.net www.google-analytics.com;
manifest-src ‘self’;
media-src derpicdn.net;
object-src ‘none’;
reflected-xss block;
report-to https://derpibooru.report-uri.io/r/default/csp/enforce;
report-uri https://derpibooru.report-uri.io/r/default/csp/enforce;
script-src derpicdn.net www.google.com/recaptcha/ www.gstatic.com/recaptcha/ www.google-analytics.com;
style-src ‘unsafe-inline’ derpicdn.net;
upgrade-insecure-requests;
worker-src ‘none’;@
Feel free to ask questions and let us know how you’re doing in this thread, and we’ll do our best to help.
*TL;DR - We are going to enable our Content Security Policy on April 10th. Make sure your userscripts are working with it by testing them at https://nqnm.derpibooru.org
If you are a userscript author, make sure you subscribe to this thread if you want updates regarding this change.
