Update CSP (#24)

* Change default-src to self * Add data: to media-src
mediafellows · May 21, 2024 · 24cafb3 · 24cafb3
1 parent 9fe05f8
commit 24cafb3
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/index.js b/index.js
@@ -6,7 +6,7 @@ const {existsSync} = require('fs')
 // Documented at https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Content-Security-Policy
 const defaultCSP = {
   'default-src': [
-    "'none'"
+    "'self'"
   ],
   'script-src': [
     "'self'",
@@ -71,6 +71,7 @@ const defaultCSP = {
   ],
   'media-src': [
     "'self'",
+    "data:",
     "blob:",
     "*.{{base_domain}}",
     "*.amazonaws.com",

diff --git a/index.mock.js b/index.mock.js
@@ -2,7 +2,7 @@ const {merge, trim, reduce} = require('lodash')
 const {execSync} = require('child_process')
 
 const defaultCSP = {
-  'default-src': ["'none'"],
+  'default-src': ["'self'"],
   'child-src': ["blob:"],
   'script-src': [
     "'self' 'unsafe-inline' 'unsafe-eval'",
@@ -45,7 +45,7 @@ const defaultCSP = {
     "licensing.theoplayer.com",
   ],
   'media-src': [
-    "'self' blob:",
+    "'self' data: blob:",
     "*.{{base_domain}}",
     "*.s3-accelerate.amazonaws.com *.s3.amazonaws.com",
   ],