ayaports/user/thelounge/allow-https-for-connect-src.patch

14 lines
790 B
Diff
Raw Permalink Normal View History

diff --git a/server/server.ts b/server/server.ts.orig
index 7a1514e..5ecdea9 100644
--- a/server/server.ts
+++ b/server/server.ts.orig
@@ -377,7 +377,7 @@ function addSecurityHeaders(req: Request, res: Response, next: NextFunction) {
"default-src 'none'", // default to nothing
"base-uri 'none'", // disallow <base>, has no fallback to default-src
"form-action 'self'", // 'self' to fix saving passwords in Firefox, even though login is handled in javascript
- "connect-src 'self' ws: wss:", // allow self for polling; websockets
+ "connect-src 'self' ws: wss: https:", // allow self for polling; websockets
"style-src 'self' https: 'unsafe-inline'", // allow inline due to use in irc hex colors
"script-src 'self'", // javascript
"worker-src 'self'", // service worker