From 450262c4ab6519fec3943e1d19bd48f78f8a8713 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Sun, 25 Mar 2018 20:50:30 +0200 Subject: [PATCH] Allow embedding of video and audio tags Adding mediaSrc to CSP so video and audio files can be embedded without problems. From a security perspective it should be fine to load audio and video data without introducing a high security issue. Only from a privacy perspective it allows another way to track users if there are data embedded. But it doesn't introduce any new attack vector as pictures are also allowed from everywhere. Signed-off-by: Sheogorath --- lib/csp.js | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/csp.js b/lib/csp.js index cef2e2f6c..8a4aa0885 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -11,6 +11,7 @@ var defaultDirectives = { styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views fontSrc: ['\'self\'', 'https://public.slidesharecdn.com'], objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/ + mediaSrc: ['*'], childSrc: ['*'], connectSrc: ['*'] }