From ecee16bd737b59d93ac0d1633fd8afd6aabca063 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Wed, 5 Dec 2018 13:14:34 +0100 Subject: [PATCH] Fix disqus CSP Disqus loads it's embed config.js from its root domain (https://disqus.com). Our CSPs only allow subdomains (e.g.: https://codimd.disqus.com). This causes the disqus embedding to fail. This patch should fix this problem by adding https://disqus.com to the CSP setting. From a security perspective there is no real change. Since still the same parties are involved. Signed-off-by: Sheogorath --- lib/csp.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/csp.js b/lib/csp.js index 96be533a..098d35d2 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -23,7 +23,7 @@ var cdnDirectives = { } var disqusDirectives = { - scriptSrc: ['https://*.disqus.com', 'https://*.disquscdn.com'], + scriptSrc: ['https://disqus.com', 'https://*.disqus.com', 'https://*.disquscdn.com'], styleSrc: ['https://*.disquscdn.com'], fontSrc: ['https://*.disquscdn.com'] }