restrict unnecessarily permissive CSP

lib/defaults.js

@@ -2,6 +2,7 @@ var Default = module.exports;
 
 Default.commonCSP = function (domain, sandbox) {
     domain = ' ' + domain;
+    sandbox = (sandbox && sandbox !== domain? ' ' + sandbox: '');
     // Content-Security-Policy
 
     return [
@@ -15,19 +16,19 @@ Default.commonCSP = function (domain, sandbox) {
          *  it is recommended that you configure these fields to match the
          *  domain which will serve your CryptPad instance.
          */
-        "child-src blob: *",
+        "child-src 'self' blob: " + domain + sandbox,
         // IE/Edge
-        "frame-src blob: *",
+        "frame-src 'self' blob: " + domain + sandbox,
 
         /*  this allows connections over secure or insecure websockets
             if you are deploying to production, you'll probably want to remove
             the ws://* directive, and change '*' to your domain
          */
-        "connect-src 'self' ws: wss: blob: " + domain + (sandbox && sandbox !== domain? ' ' + sandbox: ''),
+        "connect-src 'self' ws: wss: blob: " + domain + sandbox,
 
         // data: is used by codemirror
         "img-src 'self' data: blob:" + domain,
-        "media-src * blob:",
+        "media-src blob:",
 
         // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
         "frame-ancestors *",