From 737c9f03647fd4f1b3e8b669065478e7a7e44e87 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Mon, 11 Sep 2023 15:16:26 -0500
Subject: [PATCH] csp: load any media over https, not just local media

---
 src/middleware/csp.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/middleware/csp.ts b/src/middleware/csp.ts
index f97fc9a7..88758473 100644
--- a/src/middleware/csp.ts
+++ b/src/middleware/csp.ts
@@ -10,8 +10,8 @@ const csp = (): AppMiddleware => {
       'upgrade-insecure-requests',
       `script-src 'self'`,
       `connect-src 'self' blob: ${Conf.localDomain} ${wsProtocol}//${host}`,
-      `media-src 'self' ${Conf.mediaDomain}`,
-      `img-src 'self' data: blob: ${Conf.mediaDomain}`,
+      `media-src 'self' https:`,
+      `img-src 'self' data: blob: https:`,
       `default-src 'none'`,
       `base-uri 'self'`,
       `frame-ancestors 'none'`,