Add img-src and media-src to Content-Security-Policy header for files and media proxy (#8188)

* add img-src and media-src to csp in file and media proxy

* add csp changes to changelog

* sort and remove trailing semicolon
This commit is contained in:
shibao 2022-01-28 12:23:18 -05:00 committed by GitHub
parent 29b33b37ee
commit 380d14f406
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 4 additions and 2 deletions

View File

@ -47,6 +47,8 @@
### Bugfixes ### Bugfixes
- アップロードエラー時の処理を修正 - アップロードエラー時の処理を修正
- Add `img-src` and `media-src` directives to `Content-Security-Policy` for
files and media proxy
## 12.101.1 (2021/12/29) ## 12.101.1 (2021/12/29)

View File

@ -18,7 +18,7 @@ const _dirname = dirname(_filename);
const app = new Koa(); const app = new Koa();
app.use(cors()); app.use(cors());
app.use(async (ctx, next) => { app.use(async (ctx, next) => {
ctx.set('Content-Security-Policy', `default-src 'none'; style-src 'unsafe-inline'`); ctx.set('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
await next(); await next();
}); });

View File

@ -11,7 +11,7 @@ import { proxyMedia } from './proxy-media';
const app = new Koa(); const app = new Koa();
app.use(cors()); app.use(cors());
app.use(async (ctx, next) => { app.use(async (ctx, next) => {
ctx.set('Content-Security-Policy', `default-src 'none'; style-src 'unsafe-inline'`); ctx.set('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
await next(); await next();
}); });