Commit 3c55a425 authored by Benjamin Neff's avatar Benjamin Neff Committed by Dennis Schubert

Fix script domain for instagram in CSP header

closes #7920
parent e33466de
......@@ -10,6 +10,7 @@
## Bug fixes
* Ignore invalid URLs for camo [#7922](https://github.com/diaspora/diaspora/pull/7922)
* Unlinking a post did not update the participation icon without a reload [#7882](https://github.com/diaspora/diaspora/pull/7882)
* Fix broken Instagram embedding [#7920](https://github.com/diaspora/diaspora/pull/7920)
## Features
* Add the ability to assign roles in the admin panel [#7868](https://github.com/diaspora/diaspora/pull/7868)
......
......@@ -4,19 +4,19 @@ SecureHeaders::Configuration.default do |config|
config.hsts = SecureHeaders::OPT_OUT # added by Rack::SSL
csp = {
default_src: %w('none'),
connect_src: %w('self' embedr.flickr.com geo.query.yahoo.com nominatim.openstreetmap.org api.github.com),
font_src: %w('self'),
form_action: %w('self' platform.twitter.com syndication.twitter.com),
frame_ancestors: %w('self'),
frame_src: %w('self' www.youtube.com w.soundcloud.com twitter.com platform.twitter.com syndication.twitter.com
player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de bandcamp.com
www.instagram.com),
img_src: %w('self' data: *),
media_src: %w(https:),
script_src: %w('self' 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com
embedr.flickr.com platform.instagram.com 'unsafe-inline'),
style_src: %w('self' 'unsafe-inline' platform.twitter.com *.twimg.com)
default_src: %w['none'],
connect_src: %w['self' embedr.flickr.com geo.query.yahoo.com nominatim.openstreetmap.org api.github.com],
font_src: %w['self'],
form_action: %w['self' platform.twitter.com syndication.twitter.com],
frame_ancestors: %w['self'],
frame_src: %w['self' blob: www.youtube.com w.soundcloud.com twitter.com platform.twitter.com
syndication.twitter.com player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de
bandcamp.com www.instagram.com],
img_src: %w['self' data: blob: *],
media_src: %w[https:],
script_src: %w['self' blob: 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com
embedr.flickr.com www.instagram.com 'unsafe-inline'],
style_src: %w['self' 'unsafe-inline' platform.twitter.com *.twimg.com]
}
if AppConfig.environment.assets.host.present?
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment