diff options
author | Sheogorath | 2018-03-25 20:50:30 +0200 |
---|---|---|
committer | Sheogorath | 2018-03-25 20:51:56 +0200 |
commit | 450262c4ab6519fec3943e1d19bd48f78f8a8713 (patch) | |
tree | 31feed1dc87874261bcf6c46a31bf871d3393375 | |
parent | 57c47a65dde59d355fba702bc91c63eebcc2533c (diff) |
Allow embedding of video and audio tags
Adding mediaSrc to CSP so video and audio files can be embedded without
problems.
From a security perspective it should be fine to load audio and video
data without introducing a high security issue. Only from a privacy
perspective it allows another way to track users if there are data
embedded. But it doesn't introduce any new attack vector as pictures are
also allowed from everywhere.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Diffstat (limited to '')
-rw-r--r-- | lib/csp.js | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -11,6 +11,7 @@ var defaultDirectives = { styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views fontSrc: ['\'self\'', 'https://public.slidesharecdn.com'], objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/ + mediaSrc: ['*'], childSrc: ['*'], connectSrc: ['*'] } |