csp: load any media over https, not just local media

2023-09-11 15:16:26 -05:00 · 2023-09-11 15:16:26 -05:00 · 737c9f0364
parent 6382f98a5e
commit 737c9f0364
1 changed files with 2 additions and 2 deletions
--- a/src/middleware/csp.ts
+++ b/src/middleware/csp.ts
@ -10,8 +10,8 @@ const csp = (): AppMiddleware => {
      'upgrade-insecure-requests',
      `script-src 'self'`,
      `connect-src 'self' blob: ${Conf.localDomain} ${wsProtocol}//${host}`,
-      `media-src 'self' ${Conf.mediaDomain}`,
-      `img-src 'self' data: blob: ${Conf.mediaDomain}`,
+      `media-src 'self' https:`,
+      `img-src 'self' data: blob: https:`,
      `default-src 'none'`,
      `base-uri 'self'`,
      `frame-ancestors 'none'`,