Merge pull request #1904 from thelounge/astorije/csp-video-controls

Make sure data URIs are allowed by CSP not to block video controls
This commit is contained in:
Jérémie Astori 2017-12-27 14:31:44 -05:00 committed by GitHub
commit b02b47c822
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -217,11 +217,13 @@ function index(req, res, next) {
]; ];
// If prefetch is enabled, but storage is not, we have to allow mixed content // If prefetch is enabled, but storage is not, we have to allow mixed content
// - https://user-images.githubusercontent.com is where we currently push our changelog screenshots
// - data: is required for the HTML5 video player
if (Helper.config.prefetchStorage || !Helper.config.prefetch) { if (Helper.config.prefetchStorage || !Helper.config.prefetch) {
policies.push("img-src 'self' https://user-images.githubusercontent.com"); policies.push("img-src 'self' data: https://user-images.githubusercontent.com");
policies.unshift("block-all-mixed-content"); policies.unshift("block-all-mixed-content");
} else { } else {
policies.push("img-src http: https:"); policies.push("img-src http: https: data:");
} }
res.setHeader("Content-Type", "text/html"); res.setHeader("Content-Type", "text/html");