depau/HackMD
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Allow embedding of video and audio tags

Browse source 
Adding mediaSrc to CSP so video and audio files can be embedded without
problems.

From a security perspective it should be fine to load audio and video
data without introducing a high security issue. Only from a privacy
perspective it allows another way to track users if there are data
embedded. But it doesn't introduce any new attack vector as pictures are
also allowed from everywhere.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2018-03-25 20:50:30 +02:00
parent 57c47a65dd
commit 450262c4ab
No known key found for this signature in database
GPG key ID: 1F05CC3635CDDFFD
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
lib/csp.js
View file

@ -11,6 +11,7 @@ var defaultDirectives = {
styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views
fontSrc: ['\'self\'', 'https://public.slidesharecdn.com'],
objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
mediaSrc: ['*'],
childSrc: ['*'],
connectSrc: ['*']
}