mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-20 10:15:17 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(csp): allow 'data:' images in pads

Browse source 
Signed-off-by: Dominik Rimpf <dev@drimpf.de>
This commit is contained in:
Dominik Rimpf 2024-12-11 18:53:03 +01:00 committed by Philip Molares
parent 4fdab806a3
commit 980bc71a65
2 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
lib/csp.js
View file

@ -11,7 +11,7 @@ const defaultDirectives = {
fontSrc: ['\'self\''],
manifestSrc: ['\'self\''],
frameSrc: ['\'self\'', 'https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'],
imgSrc: ['*'], // we allow using arbitrary images
imgSrc: ['*', 'data:'], // we allow using arbitrary images & explicit data for mermaid
scriptSrc: [
config.serverURL + '/build/',
config.serverURL + '/js/',

1
public/docs/release-notes.md
View file

@ -4,6 +4,7 @@
### Bugfixes
- Fix a crash when cannot read user profile in Oauth
- Fix CSP Header for mermaid embedded images ([#5887](https://github.com/hedgedoc/hedgedoc/pull/5887) by [@domrim](https://github.com/domrim))
## <i class="fa fa-tag"></i> 1.10.0 <i class="fa fa-calendar-o"></i> 2024-09-01