depau
/
HackMD
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix disqus CSP 

Disqus loads it's embed config.js from its root domain
(https://disqus.com). Our CSPs only allow subdomains (e.g.:
https://codimd.disqus.com). This causes the disqus embedding to fail.

This patch should fix this problem by adding https://disqus.com to the
CSP setting. From a security perspective there is no real change. Since
still the same parties are involved.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2018-12-05 13:14:34 +01:00
parent b40f14f66d
commit ecee16bd73
No known key found for this signature in database
GPG Key ID: 1F05CC3635CDDFFD
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/csp.js
View File

@ -23,7 +23,7 @@ var cdnDirectives = {
}
var disqusDirectives = {
scriptSrc: ['https://*.disqus.com', 'https://*.disquscdn.com'],
scriptSrc: ['https://disqus.com', 'https://*.disqus.com', 'https://*.disquscdn.com'],
styleSrc: ['https://*.disquscdn.com'],
fontSrc: ['https://*.disquscdn.com']
}