supernets/hardlounge
supernets/hardlounge
4
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make sure data URIs are allowed by CSP not to block video controls

Browse Source
This commit is contained in:
Jérémie Astori 2017-12-27 13:56:38 -05:00
parent c17d7bddae
commit dab4fc44ea
No known key found for this signature in database
GPG Key ID: B9A4F245CD67BDE8
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/server.js
View File

@ -217,11 +217,13 @@ function index(req, res, next) {
]; ];
// If prefetch is enabled, but storage is not, we have to allow mixed content // If prefetch is enabled, but storage is not, we have to allow mixed content
// - https://user-images.githubusercontent.com is where we currently push our changelog screenshots
// - data: is required for the HTML5 video player
if (Helper.config.prefetchStorage || !Helper.config.prefetch) { if (Helper.config.prefetchStorage || !Helper.config.prefetch) {
policies.push("img-src 'self' https://user-images.githubusercontent.com"); policies.push("img-src 'self' data: https://user-images.githubusercontent.com");
policies.unshift("block-all-mixed-content"); policies.unshift("block-all-mixed-content");
} else { } else {
policies.push("img-src http: https:"); policies.push("img-src http: https: data:");
} }
res.setHeader("Content-Type", "text/html"); res.setHeader("Content-Type", "text/html");