From a7066a34cd2fec21ceaa05853cbadc119d0541d4 Mon Sep 17 00:00:00 2001
From: ekzyis <ek@stacker.news>
Date: Mon, 2 Sep 2024 19:58:14 +0200
Subject: [PATCH] Use default-src 'self' a.stacker.news (#1349)

This should fix CSP errors in Firefox because scripts fetched via <link rel="prefetch"> don't use script-src.
---
 middleware.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware.js b/middleware.js
index b9b12945..7a965619 100644
--- a/middleware.js
+++ b/middleware.js
@@ -83,7 +83,7 @@ export function middleware (request) {
 
   const cspHeader = [
     // if something is not explicitly allowed, we don't allow it.
-    "default-src 'none'",
+    "default-src 'self' a.stacker.news",
     "font-src 'self' a.stacker.news",
     // we want to load images from everywhere but we can limit to HTTPS at least
     "img-src 'self' a.stacker.news m.stacker.news https: data: blob:" + devSrc,