Update coolwsd.xml.in add concrete link to Content-Security-Policy

Adding a concrete hollow example.

Signed-off-by: Méven Car <[email protected]>
Change-Id: I95f186820737c29bb2aa177db3bf07d40188c839

Author: meven

coolwsd.xml.in

@@ -198,7 +198,14 @@
         <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
         <host desc="Localhost access by name">localhost</host>
       </lok_allow>
-      <content_security_policy desc="Customize the CSP header by specifying one or more policy-directive, separated by semicolons. See w3.org/TR/CSP2"></content_security_policy>
+      <content_security_policy desc="Customize the CSP header by specifying one or more policy-directive, separated by semicolons. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy">
+      <!-- example:
+      connect-src 'self' collabora-online-server.local;
+      frame-src 'self' server-to-inject-iframe-from.xyz;
+      connect-src 'self' server-to-inject-js-from.io;
+      frame-ancestors server-embedding-collabora-online-iframe
+      -->
+      </content_security_policy>
       <frame_ancestors desc="OBSOLETE: Use content_security_policy. Specify who is allowed to embed the Collabora Online iframe (coolwsd and WOPI host are always allowed). Separate multiple hosts by space."></frame_ancestors>
       <connection_timeout_secs desc="Specifies the connection, send, recv timeout in seconds for connections initiated by coolwsd (such as WOPI connections)." type="int" default="30">30</connection_timeout_secs>