csp: load any media over https, not just local media

This commit is contained in:
Alex Gleason 2023-09-11 15:16:26 -05:00
parent 6382f98a5e
commit 737c9f0364
No known key found for this signature in database
GPG Key ID: 7211D1F99744FBB7
1 changed files with 2 additions and 2 deletions

View File

@ -10,8 +10,8 @@ const csp = (): AppMiddleware => {
'upgrade-insecure-requests', 'upgrade-insecure-requests',
`script-src 'self'`, `script-src 'self'`,
`connect-src 'self' blob: ${Conf.localDomain} ${wsProtocol}//${host}`, `connect-src 'self' blob: ${Conf.localDomain} ${wsProtocol}//${host}`,
`media-src 'self' ${Conf.mediaDomain}`, `media-src 'self' https:`,
`img-src 'self' data: blob: ${Conf.mediaDomain}`, `img-src 'self' data: blob: https:`,
`default-src 'none'`, `default-src 'none'`,
`base-uri 'self'`, `base-uri 'self'`,
`frame-ancestors 'none'`, `frame-ancestors 'none'`,