From f948de1d48e9daa2181e23fc0f7136f75210acaf Mon Sep 17 00:00:00 2001
From: Erik Michelson
Date: Mon, 29 Mar 2021 23:35:12 +0200
Subject: Remove yahoo domain from default CSP rules

Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
---
 lib/csp.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/csp.js')

diff --git a/lib/csp.js b/lib/csp.js
index 616c1d21..108f2a22 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -5,7 +5,7 @@ const CspStrategy = {}
 
 const defaultDirectives = {
   defaultSrc: ['\'self\''],
-  scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', '\'unsafe-eval\''],
+  scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', '\'unsafe-eval\''],
   // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/codimd/issues/594
   imgSrc: ['*'],
   styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
-- 
cgit v1.2.3