CSP: Allow more content types

Author: literalplus

lib/config/default.js

@@ -18,9 +18,13 @@ module.exports = {
     reportUri: '',
     directives: {
       defaultSrc: ["'self'"],
-      scriptSrc: ["'self'"],
-      styleSrc: ["'self'", "'unsafe-inline'"],
-      fontSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-eval'", "vimeo.com", "https://gist.github.com", "www.slideshare.net", "https://query.yahooapis.com", "https://*.disqus.com"],
+      imgSrc: ["*"],
+      styleSrc: ["'self'", "'unsafe-inline'", "https://assets-cdn.github.com"],
+      fontSrc: ["'self'", "https://public.slidesharecdn.com"],
+      objectSrc: ["*"],
+      childSrc: ["*"],
+      connectSrc: ["'self'", "https://links.services.disqus.com", "wss://realtime.services.disqus.com"]
     },
     upgradeInsecureRequests: 'auto'
   },