satellite/console/consoleweb: Update CSP directives

Update the Content Security Policy to whitelist `blob:` for the img-src
and media-src directives. This is necessary to prevent CSP errors in the
object browser while loading previews and object maps.

Change-Id: Ic32bf0954f300c77ec4f0fe11fae63f0c7b622da
This commit is contained in:
Moby von Briesen 2022-02-23 17:10:18 -05:00
parent ccb847a329
commit d12bb19972

View File

@ -345,10 +345,10 @@ func (server *Server) appHandler(w http.ResponseWriter, r *http.Request) {
"connect-src 'self' *.tardigradeshare.io *.storjshare.io " + server.config.GatewayCredentialsRequestURL,
"frame-ancestors " + server.config.FrameAncestors,
"frame-src 'self' *.stripe.com https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/",
"img-src 'self' data: *.tardigradeshare.io *.storjshare.io",
"img-src 'self' data: blob: *.tardigradeshare.io *.storjshare.io",
// Those are hashes of charts custom tooltip inline styles. They have to be updated if styles are updated.
"style-src 'unsafe-hashes' 'sha256-7mY2NKmZ4PuyjGUa4FYC5u36SxXdoUM/zxrlr3BEToo=' 'sha256-PRTMwLUW5ce9tdiUrVCGKqj6wPeuOwGogb1pmyuXhgI=' 'sha256-kwpt3lQZ21rs4cld7/uEm9qI5yAbjYzx+9FGm/XmwNU=' 'self'",
"media-src 'self' *.tardigradeshare.io *.storjshare.io",
"media-src 'self' blob: *.tardigradeshare.io *.storjshare.io",
"script-src 'sha256-wAqYV6m2PHGd1WDyFBnZmSoyfCK0jxFAns0vGbdiWUA=' 'self' *.stripe.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/",
}