Add `img-src` and `media-src` to `Content-Security-Policy` header for files and media proxy (#8188)

* add img-src and media-src to csp in file and media proxy * add csp changes to changelog * sort and remove trailing semicolon
author: shibao <shibao@bubbletea.dev> 2022-01-28 12:23:18 -0500
committer: GitHub <noreply@github.com> 2022-01-29 02:23:18 +0900
commit: 380d14f4061425fe68b4f7fbdc57cdb37f2d7924 (patch)
tree: 1ef33bb1fa4bc6c19651f5502c7f321059b149cc /packages/backend/src/server/proxy
parent: round relative time (#8199) (diff)
download: misskey-380d14f4061425fe68b4f7fbdc57cdb37f2d7924.tar.gz
misskey-380d14f4061425fe68b4f7fbdc57cdb37f2d7924.tar.bz2
misskey-380d14f4061425fe68b4f7fbdc57cdb37f2d7924.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/packages/backend/src/server/proxy/index.ts b/packages/backend/src/server/proxy/index.ts
index b8993f19f8..7a3094311c 100644
--- a/packages/backend/src/server/proxy/index.ts
+++ b/packages/backend/src/server/proxy/index.ts
@@ -11,7 +11,7 @@ import { proxyMedia } from './proxy-media';
 const app = new Koa();
 app.use(cors());
 app.use(async (ctx, next) => {
-	ctx.set('Content-Security-Policy', `default-src 'none'; style-src 'unsafe-inline'`);
+	ctx.set('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
 	await next();
 });
author	shibao <shibao@bubbletea.dev>	2022-01-28 12:23:18 -0500
committer	GitHub <noreply@github.com>	2022-01-29 02:23:18 +0900
commit	380d14f4061425fe68b4f7fbdc57cdb37f2d7924 (patch)
tree	1ef33bb1fa4bc6c19651f5502c7f321059b149cc /packages/backend/src/server/proxy
parent	round relative time (#8199) (diff)
download	misskey-380d14f4061425fe68b4f7fbdc57cdb37f2d7924.tar.gz misskey-380d14f4061425fe68b4f7fbdc57cdb37f2d7924.tar.bz2 misskey-380d14f4061425fe68b4f7fbdc57cdb37f2d7924.zip