From 92798abb5d2731d6336da907113f2af407944f6d Mon Sep 17 00:00:00 2001 From: Omar Roth Date: Thu, 19 Mar 2020 13:37:22 -0500 Subject: [PATCH] Add manifest-src to CSP --- src/invidious.cr | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/invidious.cr b/src/invidious.cr index 800af0dd..73546d7d 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -261,7 +261,7 @@ before_all do |env| extra_media_csp += " https://*.googlevideo.com:443" end # TODO: Remove style-src's 'unsafe-inline', requires to remove all inline styles (, style=" [..] ") - env.response.headers["Content-Security-Policy"] = "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; media-src 'self' blob:#{extra_media_csp}" + env.response.headers["Content-Security-Policy"] = "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; manifest-src 'self'; media-src 'self' blob:#{extra_media_csp}" env.response.headers["Referrer-Policy"] = "same-origin" if (Kemal.config.ssl || config.https_only) && config.hsts