From 81d0af6e80ef132e4b4d1bd939b7b8a0773692fe Mon Sep 17 00:00:00 2001 From: Gani Georgiev Date: Sun, 2 Oct 2022 12:33:31 +0300 Subject: [PATCH] [#693] added media-src to the default files CSP --- tools/filesystem/filesystem.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/filesystem/filesystem.go b/tools/filesystem/filesystem.go index 22c64aa3..309c486f 100644 --- a/tools/filesystem/filesystem.go +++ b/tools/filesystem/filesystem.go @@ -226,7 +226,7 @@ func (s *System) Serve(response http.ResponseWriter, fileKey string, name string response.Header().Set("Content-Disposition", disposition+"; filename="+name) response.Header().Set("Content-Type", extContentType) response.Header().Set("Content-Length", strconv.FormatInt(r.Size(), 10)) - response.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox") + response.Header().Set("Content-Security-Policy", "default-src 'none'; media-src 'self'; style-src 'unsafe-inline'; sandbox") // All HTTP date/time stamps MUST be represented in Greenwich Mean Time (GMT) // (see https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.3.1)