diff options
| author | Omar Roth <omarroth@protonmail.com> | 2020-03-19 13:37:22 -0500 |
|---|---|---|
| committer | Omar Roth <omarroth@protonmail.com> | 2020-03-19 13:41:08 -0500 |
| commit | 92798abb5d2731d6336da907113f2af407944f6d (patch) | |
| tree | 5fe531b5e9f005c4ff9c5a90502d4e292ee1ff6d /src | |
| parent | bd7950b7579426d3acdf881262e802678e2c336d (diff) | |
| download | invidious-92798abb5d2731d6336da907113f2af407944f6d.tar.gz invidious-92798abb5d2731d6336da907113f2af407944f6d.tar.bz2 invidious-92798abb5d2731d6336da907113f2af407944f6d.zip | |
Add manifest-src to CSP
Diffstat (limited to 'src')
| -rw-r--r-- | src/invidious.cr | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/invidious.cr b/src/invidious.cr index 800af0dd..73546d7d 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -261,7 +261,7 @@ before_all do |env| extra_media_csp += " https://*.googlevideo.com:443" end # TODO: Remove style-src's 'unsafe-inline', requires to remove all inline styles (<style> [..] </style>, style=" [..] ") - env.response.headers["Content-Security-Policy"] = "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; media-src 'self' blob:#{extra_media_csp}" + env.response.headers["Content-Security-Policy"] = "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; manifest-src 'self'; media-src 'self' blob:#{extra_media_csp}" env.response.headers["Referrer-Policy"] = "same-origin" if (Kemal.config.ssl || config.https_only) && config.hsts |