Allow blob: scheme (#817)

This commit is contained in:
ekzyis 2024-02-13 23:11:34 +01:00 committed by GitHub
parent d6465162bd
commit bff9342272
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions

View File

@ -25,7 +25,7 @@ export function middleware (request) {
"default-src 'none'",
"font-src 'self' a.stacker.news",
// we want to load images from everywhere but we can limit to HTTPS at least
"img-src 'self' a.stacker.news m.stacker.news https: data:",
"img-src 'self' a.stacker.news m.stacker.news https: data: blob:",
// Using nonces and strict-dynamic deploys a strict CSP.
// see https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#strict-policy.
// Old browsers will ignore nonce and strict-dynamic