Fix disqus CSP

Disqus loads it's embed config.js from its root domain (https://disqus.com). Our CSPs only allow subdomains (e.g.: https://codimd.disqus.com). This causes the disqus embedding to fail. This patch should fix this problem by adding https://disqus.com to the CSP setting. From a security perspective there is no real change. Since still the same parties are involved. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
author: Sheogorath 2018-12-05 13:14:34 +0100
committer: Sheogorath 2018-12-05 13:17:14 +0100
commit: ecee16bd737b59d93ac0d1633fd8afd6aabca063 (patch)
tree: 75cda83082bbd063c791db33d94412e2a895ae23 /lib/csp.js
parent: b40f14f66dd5446c1a2a9b20b3065d5c4726c3a8 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/csp.js b/lib/csp.js
index 96be533a..098d35d2 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -23,7 +23,7 @@ var cdnDirectives = {
 }
 
 var disqusDirectives = {
-  scriptSrc: ['https://*.disqus.com', 'https://*.disquscdn.com'],
+  scriptSrc: ['https://disqus.com', 'https://*.disqus.com', 'https://*.disquscdn.com'],
   styleSrc: ['https://*.disquscdn.com'],
   fontSrc: ['https://*.disquscdn.com']
 }
author	Sheogorath	2018-12-05 13:14:34 +0100
committer	Sheogorath	2018-12-05 13:17:14 +0100
commit	ecee16bd737b59d93ac0d1633fd8afd6aabca063 (patch)
tree	75cda83082bbd063c791db33d94412e2a895ae23 /lib/csp.js
parent	b40f14f66dd5446c1a2a9b20b3065d5c4726c3a8 (diff)