From 4a5b3325673f277e335a15334ecf0e0eabbb6909 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ivar=20Conradi=20=C3=98sthus?= Date: Wed, 12 Jan 2022 23:22:04 +0100 Subject: [PATCH] fix: make sure our CSP allow gravatar.com for images --- src/lib/middleware/secure-headers.ts | 3 ++- src/server-dev.ts | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/lib/middleware/secure-headers.ts b/src/lib/middleware/secure-headers.ts index cd5102378b..f674e97989 100644 --- a/src/lib/middleware/secure-headers.ts +++ b/src/lib/middleware/secure-headers.ts @@ -13,7 +13,7 @@ const secureHeaders: (config: IUnleashConfig) => RequestHandler = (config) => { }, contentSecurityPolicy: { directives: { - defaultSrc: ["'self'", 'cdn.getunleash.io'], + defaultSrc: ["'self'", 'cdn.getunleash.io', 'gravatar.com'], fontSrc: [ "'self'", 'cdn.getunleash.io', @@ -37,6 +37,7 @@ const secureHeaders: (config: IUnleashConfig) => RequestHandler = (config) => { ], }, }, + crossOriginEmbedderPolicy: false, }); } return (req, res, next) => { diff --git a/src/server-dev.ts b/src/server-dev.ts index 2d29a49676..f408dfaec2 100644 --- a/src/server-dev.ts +++ b/src/server-dev.ts @@ -24,6 +24,7 @@ process.nextTick(async () => { }, logLevel: LogLevel.debug, enableOAS: true, + // secureHeaders: true, versionCheck: { enable: false, },