Merge branch 'staging' of github.com:xwiki-labs/cryptpad into staging

config.example.js

@@ -33,9 +33,9 @@ module.exports = {
          *  it is recommended that you configure these fields to match the
          *  domain which will serve your CryptPad instance.
          */
-        "child-src 'self' *",
+        "child-src 'self' blob: *",
 
-        "media-src *",
+        "media-src * blob:",
 
         /*  this allows connections over secure or insecure websockets
             if you are deploying to production, you'll probably want to remove

server.js

@@ -34,6 +34,7 @@ var setHeaders = (function () {
     const headers = clone(config.httpHeaders);
     if (config.contentSecurity) {
         headers['Content-Security-Policy'] = clone(config.contentSecurity);
+        if (!/;$/.test(headers['Content-Security-Policy'])) { headers['Content-Security-Policy'] += ';' }
         if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) {
             // backward compat for those who do not merge the new version of the config
             // when updating. This prevents endless spinner if someone clicks donate.