Merge pull request #29 from anvelicon/pr/media-src

feat: add media-src to the default CSP

__tests__/buildCSPHeaders.js

@@ -17,6 +17,7 @@ const DEFAULT_CSP = {
 	'frame-src': '\'none\'',
 	'img-src': '\'self\'',
 	'manifest-src': '\'self\'',
+	'media-src': '\'self\'',
 	'object-src': '\'none\'',
 	'prefetch-src': '\'self\'',
 	'script-src': '\'self\'',

docs/api/contentSecurityPolicy.md

@@ -15,6 +15,7 @@
 		"frame-src": "'none'",
 		"img-src": "'self'",
 		"manifest-src": "'self'",
+		"media-src": "'self'",
 		"object-src": "'none'",
 		"prefetch-src": "'self'",
 		"script-src": "'self'",

docs/configuration.md

@@ -16,6 +16,7 @@ nextSafe({
 		"frame-src": "'none'",
 		"img-src": "'self'",
 		"manifest-src": "'self'",
+		"media-src": "'self'",
 		"object-src": "'none'",
 		"prefetch-src": "'self'",
 		"script-src": "'self'",

lib/buildCSPHeaders.js

@@ -34,6 +34,7 @@ module.exports = function buildCSPHeaders(options = {}) {
 		'frame-src': getCSPDirective(contentSecurityPolicy['frame-src'], "'none'"),
 		'img-src': getCSPDirective(contentSecurityPolicy['img-src'], "'self'"),
 		'manifest-src': getCSPDirective(contentSecurityPolicy['manifest-src'], "'self'"),
+		'media-src': getCSPDirective(contentSecurityPolicy['media-src'], "'self'"),
 		'object-src': getCSPDirective(contentSecurityPolicy['object-src'], "'none'"),
 		'prefetch-src': getCSPDirective(contentSecurityPolicy['prefetch-src'], "'self'"),
 		'script-src': getCSPDirective(contentSecurityPolicy['script-src'], "'self'"),

lib/models/CSP.js

@@ -18,6 +18,7 @@
  * @property {CSPDirective} ['frame-src']
  * @property {CSPDirective} ['img-src']
  * @property {CSPDirective} ['manifest-src']
+ * @property {CSPDirective} ['media-src']
  * @property {CSPDirective} ['object-src']
  * @property {CSPDirective} ['prefetch-src']
  * @property {CSPDirective} ['script-src']