Allow embedding of video and audio tags

SISheogorath · SISheogorath · commit 450262c4ab65 · 2018-03-25T20:51:56.000+02:00
Adding mediaSrc to CSP so video and audio files can be embedded without
problems.

From a security perspective it should be fine to load audio and video
data without introducing a high security issue. Only from a privacy
perspective it allows another way to track users if there are data
embedded. But it doesn't introduce any new attack vector as pictures are
also allowed from everywhere.

Signed-off-by: Sheogorath &lt;sheogorath@shivering-isles.com&gt;
diff --git a/lib/csp.js b/lib/csp.js
@@ -11,6 +11,7 @@ var defaultDirectives = {
   styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views
   fontSrc: ['\'self\'', 'https://public.slidesharecdn.com'],
   objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
+  mediaSrc: ['*'],
   childSrc: ['*'],
   connectSrc: ['*']
 }

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ var defaultDirectives = {`
`11`	`11`	`styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views`
`12`	`12`	`fontSrc: ['\'self\'', 'https://public.slidesharecdn.com'],`
`13`	`13`	`objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/`
	`14`	`+ mediaSrc: ['*'],`
`14`	`15`	`childSrc: ['*'],`
`15`	`16`	`connectSrc: ['*']`
`16`	`17`	`}`