csp: load any media over https, not just local media
This commit is contained in:
parent
6382f98a5e
commit
737c9f0364
|
@ -10,8 +10,8 @@ const csp = (): AppMiddleware => {
|
||||||
'upgrade-insecure-requests',
|
'upgrade-insecure-requests',
|
||||||
`script-src 'self'`,
|
`script-src 'self'`,
|
||||||
`connect-src 'self' blob: ${Conf.localDomain} ${wsProtocol}//${host}`,
|
`connect-src 'self' blob: ${Conf.localDomain} ${wsProtocol}//${host}`,
|
||||||
`media-src 'self' ${Conf.mediaDomain}`,
|
`media-src 'self' https:`,
|
||||||
`img-src 'self' data: blob: ${Conf.mediaDomain}`,
|
`img-src 'self' data: blob: https:`,
|
||||||
`default-src 'none'`,
|
`default-src 'none'`,
|
||||||
`base-uri 'self'`,
|
`base-uri 'self'`,
|
||||||
`frame-ancestors 'none'`,
|
`frame-ancestors 'none'`,
|
||||||
|
|
Loading…
Reference in New Issue