DMED-119 - update CSP to include YouTube embeds

hpi-schul-cloud · Sep 18, 2024 · 7c2540d · 7c2540d
1 parent 02df50a
commit 7c2540d
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/config/docker/nginx.conf.template b/config/docker/nginx.conf.template
@@ -2,7 +2,7 @@ server {
     listen 4000;
     server_name  localhost;
 
-    set $csp "default-src 'self'; base-uri 'self'; script-src 'nonce-$request_id' 'strict-dynamic' 'unsafe-inline' https:; object-src 'none'; font-src 'self' data:; img-src 'self' data: ${EDU_SHARING_IMG_SRC_URLS}; style-src 'self' 'unsafe-inline'; frame-src 'self' ${H5P_FRAME_SRC_URLS} https://docs.dbildungscloud.de/; connect-src 'self' ${EDU_SHARING_CONNECT_SRC_URLS}";
+    set $csp "default-src 'self'; base-uri 'self'; script-src 'nonce-$request_id' 'strict-dynamic' 'unsafe-inline' https:; object-src 'none'; font-src 'self' data:; img-src 'self' data: ${EDU_SHARING_IMG_SRC_URLS}; style-src 'self' 'unsafe-inline'; frame-src 'self' ${H5P_FRAME_SRC_URLS} https://docs.dbildungscloud.de/ https://www.youtube-nocookie.com/; connect-src 'self' ${EDU_SHARING_CONNECT_SRC_URLS}";
 
     set $h5pcsp "default-src 'self'; base-uri 'self'; script-src ${H5P_SCRIPT_SRC_URLS} 'unsafe-inline' https:; object-src 'none'; font-src 'self' data:; img-src 'self' ${H5P_IMG_SRC_URLS} data:; style-src 'self' 'unsafe-inline'; frame-src 'self' ${H5P_FRAME_SRC_URLS}";