cinny: allow matrix.org media in CSP img-src
Federated matrix.org users load avatars/images from their own media endpoint (matrix-client.matrix.org), which img-src still blocked — so every avatar tripped a CSP violation. Add https://matrix.org + https://*.matrix.org to img-src to match connect-src. (media-src already allows https: so video/audio were fine.) Applied live to LXC 106 and synced here. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
+1
-1
@@ -39,7 +39,7 @@ server {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# Content Security Policy
|
# Content Security Policy
|
||||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob: https://matrix.lotusguild.org https://drive.lotusguild.org https://media.giphy.com https://media0.giphy.com https://media1.giphy.com https://media2.giphy.com https://media3.giphy.com https://media4.giphy.com https://www.openstreetmap.org https://tile.openstreetmap.org https://api.qrserver.com; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://matrix.lotusguild.org wss://matrix.lotusguild.org https://matrix.org https://*.matrix.org https://api.giphy.com https://*.giphy.com wss:; media-src 'self' https: blob:; frame-src 'self' https://www.openstreetmap.org; worker-src 'self' blob:; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob: https://matrix.lotusguild.org https://matrix.org https://*.matrix.org https://drive.lotusguild.org https://media.giphy.com https://media0.giphy.com https://media1.giphy.com https://media2.giphy.com https://media3.giphy.com https://media4.giphy.com https://www.openstreetmap.org https://tile.openstreetmap.org https://api.qrserver.com; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://matrix.lotusguild.org wss://matrix.lotusguild.org https://matrix.org https://*.matrix.org https://api.giphy.com https://*.giphy.com wss:; media-src 'self' https: blob:; frame-src 'self' https://www.openstreetmap.org; worker-src 'self' blob:; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;
|
||||||
|
|
||||||
# Service worker must never be cached so updates are picked up immediately
|
# Service worker must never be cached so updates are picked up immediately
|
||||||
location = /sw.js {
|
location = /sw.js {
|
||||||
|
|||||||
Reference in New Issue
Block a user