Add media-src CSP to middleware (#1121)

2026-05-04 15:04:03 +00:00 · 2018-12-12 08:59:22 +01:00
parent 62c2e7765b
commit 518298f71c
1 changed files with 1 additions and 0 deletions
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -189,6 +189,7 @@ class SecurityMiddleware(MiddlewareMixin):
            'connect-src': ["{dynamic}", "{media}", "https://checkout.stripe.com"],
            'img-src': ["{static}", "{media}", "data:", "https://*.stripe.com"],
            'font-src': ["{static}"],
+            'media-src': ["{static}", "data:"],
            # form-action is not only used to match on form actions, but also on URLs
            # form-actions redirect to. In the context of e.g. payment providers or
            # single-sign-on this can be nearly anything so we cannot really restrict