Allow HTTPS post media in the content security policy and cover it with a regression test.
Hop-State: A_06FPCZJEV5F0C6SP72N2X2G Hop-Proposal: R_06FPCZHS36HMS1FP567XKN0 Hop-Task: T_06FPCYDXSZGDJRD738J0TJ8 Hop-Attempt: AT_06FPCYDXSZG4P47QJD8GHJG
This commit is contained in:
+2
-1
@@ -27,7 +27,7 @@ function getBuildCommitCount(): string {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
const contentSecurityPolicy = [
|
export const contentSecurityPolicy = [
|
||||||
"default-src 'self'",
|
"default-src 'self'",
|
||||||
"base-uri 'self'",
|
"base-uri 'self'",
|
||||||
"object-src 'none'",
|
"object-src 'none'",
|
||||||
@@ -36,6 +36,7 @@ const contentSecurityPolicy = [
|
|||||||
`script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'${process.env.NODE_ENV === 'development' ? " 'unsafe-eval'" : ''} https://challenges.cloudflare.com`,
|
`script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'${process.env.NODE_ENV === 'development' ? " 'unsafe-eval'" : ''} https://challenges.cloudflare.com`,
|
||||||
"style-src 'self' 'unsafe-inline'",
|
"style-src 'self' 'unsafe-inline'",
|
||||||
"img-src 'self' data: blob: https:",
|
"img-src 'self' data: blob: https:",
|
||||||
|
"media-src 'self' blob: https:",
|
||||||
"font-src 'self' data:",
|
"font-src 'self' data:",
|
||||||
"connect-src 'self' https: wss:",
|
"connect-src 'self' https: wss:",
|
||||||
"frame-src https://challenges.cloudflare.com",
|
"frame-src https://challenges.cloudflare.com",
|
||||||
|
|||||||
@@ -0,0 +1,8 @@
|
|||||||
|
import { describe, expect, it } from 'vitest';
|
||||||
|
import { contentSecurityPolicy } from '../../../next.config';
|
||||||
|
|
||||||
|
describe('content security policy', () => {
|
||||||
|
it('allows HTTPS media served by connected storage providers', () => {
|
||||||
|
expect(contentSecurityPolicy).toContain("media-src 'self' blob: https:");
|
||||||
|
});
|
||||||
|
});
|
||||||
Reference in New Issue
Block a user