CSP should allow data urls for media-src or the audio captcha won't work

author Dominic Mazzoni <dmazzoni@gmail.com>

Sun, 25 Jun 2023 19:12:32 +0000 (12:12 -0700)

committer Dominic Mazzoni <dmazzoni@gmail.com>

Sun, 25 Jun 2023 19:12:32 +0000 (12:12 -0700)
author Dominic Mazzoni <dmazzoni@gmail.com>
Sun, 25 Jun 2023 19:12:32 +0000 (12:12 -0700)
committer Dominic Mazzoni <dmazzoni@gmail.com>
Sun, 25 Jun 2023 19:12:32 +0000 (12:12 -0700)
diff --git a/src/server/middleware/set-default-csp.ts b/src/server/middleware/set-default-csp.ts

index a3ee52613930d991d6622ad85514096d4ec285d0..fd776ab6d88a8f2de03b8f441dae4954f39cd9fa 100644 (file)
--- a/src/server/middleware/set-default-csp.ts
+++ b/src/server/middleware/set-default-csp.ts
@@ -3,7 +3,7 @@ import type { NextFunction, Response } from "express";
  export default function ({ res, next }: { res: Response; next: NextFunction }) {
    res.setHeader(
      "Content-Security-Policy",
-    `default-src 'self'; manifest-src *; connect-src *; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'; frame-src *; media-src *`
+    `default-src 'self'; manifest-src *; connect-src *; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'; frame-src *; media-src * data:`
    );
  
    next();
author	Dominic Mazzoni <dmazzoni@gmail.com>
	Sun, 25 Jun 2023 19:12:32 +0000 (12:12 -0700)
committer	Dominic Mazzoni <dmazzoni@gmail.com>
	Sun, 25 Jun 2023 19:12:32 +0000 (12:12 -0700)