Merge pull request #1088 from hedgedoc/fix/remove-yahoo-csp

CSP: Remove yahoo domain from defaults
author: David Mehren 2021-03-31 20:42:06 +0200
committer: GitHub 2021-03-31 20:42:06 +0200
commit: 4f2dcbd16fc633d8cd12b4f6f40285a3c92f9a38 (patch)
tree: b18bb71222b93b3d485cddc2808666f04bf5a2c9
parent: 1534d7029bf82c74d5b927e8b179a763ccb1cae4 (diff)
parent: f948de1d48e9daa2181e23fc0f7136f75210acaf (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/csp.js b/lib/csp.js
index 616c1d21..108f2a22 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -5,7 +5,7 @@ const CspStrategy = {}
 
 const defaultDirectives = {
   defaultSrc: ['\'self\''],
-  scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', '\'unsafe-eval\''],
+  scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', '\'unsafe-eval\''],
   // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/codimd/issues/594
   imgSrc: ['*'],
   styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
author	David Mehren	2021-03-31 20:42:06 +0200
committer	GitHub	2021-03-31 20:42:06 +0200
commit	4f2dcbd16fc633d8cd12b4f6f40285a3c92f9a38 (patch)
tree	b18bb71222b93b3d485cddc2808666f04bf5a2c9
parent	1534d7029bf82c74d5b927e8b179a763ccb1cae4 (diff)
parent	f948de1d48e9daa2181e23fc0f7136f75210acaf (diff)