diff --git a/config.example.js b/config.example.js index c7a831b4c..d2ea25a3e 100644 --- a/config.example.js +++ b/config.example.js @@ -33,9 +33,9 @@ module.exports = { * it is recommended that you configure these fields to match the * domain which will serve your CryptPad instance. */ - "child-src 'self' *", + "child-src 'self' blob: *", - "media-src *", + "media-src * blob:", /* this allows connections over secure or insecure websockets if you are deploying to production, you'll probably want to remove diff --git a/server.js b/server.js index ec89ef2af..0db55f8d0 100644 --- a/server.js +++ b/server.js @@ -34,6 +34,7 @@ var setHeaders = (function () { const headers = clone(config.httpHeaders); if (config.contentSecurity) { headers['Content-Security-Policy'] = clone(config.contentSecurity); + if (!/;$/.test(headers['Content-Security-Policy'])) { headers['Content-Security-Policy'] += ';' } if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) { // backward compat for those who do not merge the new version of the config // when updating. This prevents endless spinner if someone clicks donate.