From 24cafb336fa5b042b377208186007236a1c42dd7 Mon Sep 17 00:00:00 2001
From: Yanko Shterev <yshterev@users.noreply.github.com>
Date: Tue, 21 May 2024 13:31:30 +0300
Subject: [PATCH] Update CSP (#24)

* Change default-src to self
* Add data: to media-src
---
 index.js      | 3 ++-
 index.mock.js | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/index.js b/index.js
index ad69aae..4978e01 100644
--- a/index.js
+++ b/index.js
@@ -6,7 +6,7 @@ const {existsSync} = require('fs')
 // Documented at https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Content-Security-Policy
 const defaultCSP = {
   'default-src': [
-    "'none'"
+    "'self'"
   ],
   'script-src': [
     "'self'",
@@ -71,6 +71,7 @@ const defaultCSP = {
   ],
   'media-src': [
     "'self'",
+    "data:",
     "blob:",
     "*.{{base_domain}}",
     "*.amazonaws.com",
diff --git a/index.mock.js b/index.mock.js
index d72a9e9..f5d6302 100644
--- a/index.mock.js
+++ b/index.mock.js
@@ -2,7 +2,7 @@ const {merge, trim, reduce} = require('lodash')
 const {execSync} = require('child_process')
 
 const defaultCSP = {
-  'default-src': ["'none'"],
+  'default-src': ["'self'"],
   'child-src': ["blob:"],
   'script-src': [
     "'self' 'unsafe-inline' 'unsafe-eval'",
@@ -45,7 +45,7 @@ const defaultCSP = {
     "licensing.theoplayer.com",
   ],
   'media-src': [
-    "'self' blob:",
+    "'self' data: blob:",
     "*.{{base_domain}}",
     "*.s3-accelerate.amazonaws.com *.s3.amazonaws.com",
   ],