From 380d14f4061425fe68b4f7fbdc57cdb37f2d7924 Mon Sep 17 00:00:00 2001 From: shibao Date: Fri, 28 Jan 2022 12:23:18 -0500 Subject: [PATCH] Add `img-src` and `media-src` to `Content-Security-Policy` header for files and media proxy (#8188) * add img-src and media-src to csp in file and media proxy * add csp changes to changelog * sort and remove trailing semicolon --- CHANGELOG.md | 2 ++ packages/backend/src/server/file/index.ts | 2 +- packages/backend/src/server/proxy/index.ts | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 09b5a2ac87..6e1e87d80b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -47,6 +47,8 @@ ### Bugfixes - アップロードエラー時の処理を修正 +- Add `img-src` and `media-src` directives to `Content-Security-Policy` for + files and media proxy ## 12.101.1 (2021/12/29) diff --git a/packages/backend/src/server/file/index.ts b/packages/backend/src/server/file/index.ts index a455acd1cf..6fe6110dc9 100644 --- a/packages/backend/src/server/file/index.ts +++ b/packages/backend/src/server/file/index.ts @@ -18,7 +18,7 @@ const _dirname = dirname(_filename); const app = new Koa(); app.use(cors()); app.use(async (ctx, next) => { - ctx.set('Content-Security-Policy', `default-src 'none'; style-src 'unsafe-inline'`); + ctx.set('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`); await next(); }); diff --git a/packages/backend/src/server/proxy/index.ts b/packages/backend/src/server/proxy/index.ts index b8993f19f8..7a3094311c 100644 --- a/packages/backend/src/server/proxy/index.ts +++ b/packages/backend/src/server/proxy/index.ts @@ -11,7 +11,7 @@ import { proxyMedia } from './proxy-media'; const app = new Koa(); app.use(cors()); app.use(async (ctx, next) => { - ctx.set('Content-Security-Policy', `default-src 'none'; style-src 'unsafe-inline'`); + ctx.set('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`); await next(); });