From 439c338049a18a1b3da310e50bdde5769ce53e18 Mon Sep 17 00:00:00 2001 From: WithoutPants <53250216+WithoutPants@users.noreply.github.com> Date: Thu, 16 Dec 2021 09:18:23 +1100 Subject: [PATCH] Add media-src to content-security-policy (#2132) --- pkg/api/server.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/api/server.go b/pkg/api/server.go index c8677f75d..307fbea40 100644 --- a/pkg/api/server.go +++ b/pkg/api/server.go @@ -357,7 +357,7 @@ func SecurityHeadersMiddleware(next http.Handler) http.Handler { } connectableOrigins += "; " - cspDirectives := "default-src data: 'self' 'unsafe-inline';" + connectableOrigins + "img-src data: *; script-src 'self' 'unsafe-inline'; child-src 'none'; object-src 'none'; form-action 'self'" + cspDirectives := "default-src data: 'self' 'unsafe-inline';" + connectableOrigins + "img-src data: *; script-src 'self' 'unsafe-inline'; media-src 'self' blob:; child-src 'none'; object-src 'none'; form-action 'self'" w.Header().Set("Referrer-Policy", "same-origin") w.Header().Set("X-Content-Type-Options", "nosniff")