Allow embedding of video and audio tags

Adding mediaSrc to CSP so video and audio files can be embedded without problems. From a security perspective it should be fine to load audio and video data without introducing a high security issue. Only from a privacy perspective it allows another way to track users if there are data embedded. But it doesn't introduce any new attack vector as pictures are also allowed from everywhere. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
author: Sheogorath 2018-03-25 20:50:30 +0200
committer: Sheogorath 2018-03-25 20:51:56 +0200
commit: 450262c4ab6519fec3943e1d19bd48f78f8a8713 (patch)
tree: 31feed1dc87874261bcf6c46a31bf871d3393375
parent: 57c47a65dde59d355fba702bc91c63eebcc2533c (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/csp.js b/lib/csp.js
index cef2e2f6..8a4aa088 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -11,6 +11,7 @@ var defaultDirectives = {
   styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views
   fontSrc: ['\'self\'', 'https://public.slidesharecdn.com'],
   objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
+  mediaSrc: ['*'],
   childSrc: ['*'],
   connectSrc: ['*']
 }
author	Sheogorath	2018-03-25 20:50:30 +0200
committer	Sheogorath	2018-03-25 20:51:56 +0200
commit	450262c4ab6519fec3943e1d19bd48f78f8a8713 (patch)
tree	31feed1dc87874261bcf6c46a31bf871d3393375
parent	57c47a65dde59d355fba702bc91c63eebcc2533c (diff)