github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-04-20 11:15:40 +00:00
Code Issues Projects Releases Packages Wiki Activity

Remove yahoo domain from default CSP rules

Browse source 
Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
This commit is contained in:
Erik Michelson 2021-03-29 23:35:12 +02:00 committed by Erik Michelson
parent 1534d7029b
commit f948de1d48
No known key found for this signature in database
GPG key ID: DB99ADDDC5C0AF82
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/csp.js
View file

@ -5,7 +5,7 @@ const CspStrategy = {}
const defaultDirectives = {
defaultSrc: ['\'self\''],
scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', '\'unsafe-eval\''],
scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', '\'unsafe-eval\''],
// ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/codimd/issues/594
imgSrc: ['*'],
styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views