From ecee16bd737b59d93ac0d1633fd8afd6aabca063 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Wed, 5 Dec 2018 13:14:34 +0100
Subject: [PATCH] Fix disqus CSP

Disqus loads it's embed config.js from its root domain
(https://disqus.com). Our CSPs only allow subdomains (e.g.:
https://codimd.disqus.com). This causes the disqus embedding to fail.

This patch should fix this problem by adding https://disqus.com to the
CSP setting. From a security perspective there is no real change. Since
still the same parties are involved.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
---
 lib/csp.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/csp.js b/lib/csp.js
index 96be533..098d35d 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -23,7 +23,7 @@ var cdnDirectives = {
 }
 
 var disqusDirectives = {
-  scriptSrc: ['https://*.disqus.com', 'https://*.disquscdn.com'],
+  scriptSrc: ['https://disqus.com', 'https://*.disqus.com', 'https://*.disquscdn.com'],
   styleSrc: ['https://*.disquscdn.com'],
   fontSrc: ['https://*.disquscdn.com']
 }