From a0b4b3ce2aad1bde0eb39471f62cdb2e4e925c23 Mon Sep 17 00:00:00 2001 From: cyph3rasi Date: Wed, 15 Jul 2026 08:56:21 -0700 Subject: [PATCH] Allow HTTPS post media in the content security policy and cover it with a regression test. Hop-State: A_06FPCZJEV5F0C6SP72N2X2G Hop-Proposal: R_06FPCZHS36HMS1FP567XKN0 Hop-Task: T_06FPCYDXSZGDJRD738J0TJ8 Hop-Attempt: AT_06FPCYDXSZG4P47QJD8GHJG --- next.config.ts | 3 ++- src/lib/security/content-security-policy.test.ts | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 src/lib/security/content-security-policy.test.ts diff --git a/next.config.ts b/next.config.ts index 2911ac0..63c997b 100644 --- a/next.config.ts +++ b/next.config.ts @@ -27,7 +27,7 @@ function getBuildCommitCount(): string { } } -const contentSecurityPolicy = [ +export const contentSecurityPolicy = [ "default-src 'self'", "base-uri 'self'", "object-src 'none'", @@ -36,6 +36,7 @@ const contentSecurityPolicy = [ `script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'${process.env.NODE_ENV === 'development' ? " 'unsafe-eval'" : ''} https://challenges.cloudflare.com`, "style-src 'self' 'unsafe-inline'", "img-src 'self' data: blob: https:", + "media-src 'self' blob: https:", "font-src 'self' data:", "connect-src 'self' https: wss:", "frame-src https://challenges.cloudflare.com", diff --git a/src/lib/security/content-security-policy.test.ts b/src/lib/security/content-security-policy.test.ts new file mode 100644 index 0000000..5f392f8 --- /dev/null +++ b/src/lib/security/content-security-policy.test.ts @@ -0,0 +1,8 @@ +import { describe, expect, it } from 'vitest'; +import { contentSecurityPolicy } from '../../../next.config'; + +describe('content security policy', () => { + it('allows HTTPS media served by connected storage providers', () => { + expect(contentSecurityPolicy).toContain("media-src 'self' blob: https:"); + }); +});