[FIX] MiddlewareManager: Update SAP Target CSP Policies

SAP · Jun 17, 2020 · 269c22c · 269c22c
1 parent 1e1644a
commit 269c22c
Showing 1 changed file with 16 additions and 8 deletions.
diff --git a/lib/middleware/MiddlewareManager.js b/lib/middleware/MiddlewareManager.js
@@ -96,19 +96,27 @@ class MiddlewareManager {
 							"script-src  'self' 'unsafe-eval'; " +
 							"style-src   'self' 'unsafe-inline'; " +
 							"font-src    'self' data:; " +
-							"img-src     'self' * data: blob:; " +
-							"frame-src   'self' https: data: blob:; " +
-							"child-src   'self' https: data: blob:; " +
-							"connect-src 'self' https: wss:;",
+							"img-src     'self' https: http: data: blob:; " +
+							"media-src   'self' https: http: data: blob:; " +
+							"object-src  blob:; " +
+							"frame-src   'self' https: gap: data: blob: mailto: tel:; " +
+							"worker-src  'self' blob:; " +
+							"child-src   'self' blob:; " +
+							"connect-src 'self' https: wss:; " +
+							"base-uri    'self';",
 						"sap-target-level-2":
 							"default-src 'self'; " +
 							"script-src  'self'; " +
 							"style-src   'self' 'unsafe-inline'; " +
 							"font-src    'self' data:; " +
-							"img-src     'self' * data: blob:; " +
-							"frame-src   'self' https: data: blob:; " +
-							"child-src   'self' https: data: blob:; " +
-							"connect-src 'self' https: wss:;"
+							"img-src     'self' https: http: data: blob:; " +
+							"media-src   'self' https: http: data: blob:; " +
+							"object-src  blob:; " +
+							"frame-src   'self' https: gap: data: blob: mailto: tel:; " +
+							"worker-src  'self' blob:; " +
+							"child-src   'self' blob:; " +
+							"connect-src 'self' https: wss:; " +
+							"base-uri    'self';"
 					}
 				};
 				if (this.options.sendSAPTargetCSP) {