diff options
| author | Fuwn <[email protected]> | 2026-06-01 14:31:54 +0000 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2026-06-01 14:31:54 +0000 |
| commit | b53c69e654e68ebf86bc3b267616497116d4de77 (patch) | |
| tree | 242febb44d6800a00b691e33ba1cf4eed91e7668 | |
| parent | feat(security): add Content-Security-Policy (diff) | |
| download | due.moe-b53c69e654e68ebf86bc3b267616497116d4de77.tar.xz due.moe-b53c69e654e68ebf86bc3b267616497116d4de77.zip | |
fix(security): allow media-src in CSP for external video
Static source sweep found a <video> on the home page (rendered when a
user disables all content sections) sourced from video.twimg.com.
media-src was unset, so it fell back to default-src 'self' and would be
blocked. Add media-src 'self' data: blob: https' (matching img-src).
| -rw-r--r-- | svelte.config.js | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/svelte.config.js b/svelte.config.js index 9ef30e18..f21e40e9 100644 --- a/svelte.config.js +++ b/svelte.config.js @@ -30,6 +30,7 @@ const config = { "https://proxy.due.moe", ], "img-src": ["self", "data:", "blob:", "https:"], + "media-src": ["self", "data:", "blob:", "https:"], "connect-src": ["self", "https:", "ws:", "wss:"], "object-src": ["none"], "base-uri": ["self"], |