mirror/ditto
mirror/ditto
1
0
Fork 0
mirror of https://gitlab.com/soapbox-pub/ditto.git synced 2025-12-06 11:29:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

csp: load any media over https, not just local media

Browse source
This commit is contained in:
Alex Gleason 2023-09-11 15:16:26 -05:00
parent 6382f98a5e
commit 737c9f0364
No known key found for this signature in database
GPG key ID: 7211D1F99744FBB7
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/middleware/csp.ts
View file

@ -10,8 +10,8 @@ const csp = (): AppMiddleware => {
'upgrade-insecure-requests', 'upgrade-insecure-requests',
`script-src 'self'`, `script-src 'self'`,
`connect-src 'self' blob: ${Conf.localDomain} ${wsProtocol}//${host}`, `connect-src 'self' blob: ${Conf.localDomain} ${wsProtocol}//${host}`,
`media-src 'self' ${Conf.mediaDomain}`, `media-src 'self' https:`,
`img-src 'self' data: blob: ${Conf.mediaDomain}`, `img-src 'self' data: blob: https:`,
`default-src 'none'`, `default-src 'none'`,
`base-uri 'self'`, `base-uri 'self'`,
`frame-ancestors 'none'`, `frame-ancestors 'none'`,