Add media-src to content-security-policy (#2132)

This commit is contained in:
WithoutPants 2021-12-16 09:18:23 +11:00 committed by GitHub
parent bbe99a0dd8
commit 439c338049
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions

View File

@ -357,7 +357,7 @@ func SecurityHeadersMiddleware(next http.Handler) http.Handler {
}
connectableOrigins += "; "
cspDirectives := "default-src data: 'self' 'unsafe-inline';" + connectableOrigins + "img-src data: *; script-src 'self' 'unsafe-inline'; child-src 'none'; object-src 'none'; form-action 'self'"
cspDirectives := "default-src data: 'self' 'unsafe-inline';" + connectableOrigins + "img-src data: *; script-src 'self' 'unsafe-inline'; media-src 'self' blob:; child-src 'none'; object-src 'none'; form-action 'self'"
w.Header().Set("Referrer-Policy", "same-origin")
w.Header().Set("X-Content-Type-Options", "nosniff")