From 380d14f4061425fe68b4f7fbdc57cdb37f2d7924 Mon Sep 17 00:00:00 2001
From: shibao <shibao@bubbletea.dev>
Date: Fri, 28 Jan 2022 12:23:18 -0500
Subject: Add `img-src` and `media-src` to `Content-Security-Policy` header for
 files and media proxy (#8188)

* add img-src and media-src to csp in file and media proxy

* add csp changes to changelog

* sort and remove trailing semicolon
---
 packages/backend/src/server/proxy/index.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'packages/backend/src/server/proxy')

diff --git a/packages/backend/src/server/proxy/index.ts b/packages/backend/src/server/proxy/index.ts
index b8993f19f8..7a3094311c 100644
--- a/packages/backend/src/server/proxy/index.ts
+++ b/packages/backend/src/server/proxy/index.ts
@@ -11,7 +11,7 @@ import { proxyMedia } from './proxy-media';
 const app = new Koa();
 app.use(cors());
 app.use(async (ctx, next) => {
-	ctx.set('Content-Security-Policy', `default-src 'none'; style-src 'unsafe-inline'`);
+	ctx.set('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
 	await next();
 });
 
-- 
cgit v1.2.3-freya