Merge pull request #7366 from brave/fix-7243

Torrent Viewer CSP rule blocks <iframe> content
brave · Mar 17, 2017 · 067ca56 · 067ca56
2 parents b740348 + 32f6b0e
commit 067ca56
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/app/extensions.js b/app/extensions.js
@@ -172,22 +172,23 @@ let generateTorrentManifest = () => {
   let cspDirectives = {
     'default-src': '\'self\'',
     // TODO(bridiver) - remove example.com when webtorrent no longer requires it
+    //                  (i.e. once Brave uses webpack v2)
     'connect-src': '\'self\' https://example.com',
     'media-src': '\'self\' http://localhost:*',
     'form-action': '\'none\'',
     'referrer': 'no-referrer',
     'style-src': '\'self\' \'unsafe-inline\'',
-    'frame-src': '\'self\''
+    'frame-src': '\'self\' http://localhost:*'
   }
 
   if (process.env.NODE_ENV === 'development') {
     // allow access to webpack dev server resources
     let devServer = 'localhost:' + process.env.npm_package_config_port
-    cspDirectives['default-src'] = '\'self\' http://' + devServer
+    cspDirectives['default-src'] += ' http://' + devServer
     cspDirectives['connect-src'] += ' http://' + devServer + ' ws://' + devServer
-    cspDirectives['media-src'] = '\'self\' http://localhost:* http://' + devServer
-    cspDirectives['frame-src'] = '\'self\' http://' + devServer
-    cspDirectives['style-src'] = '\'self\' \'unsafe-inline\' http://' + devServer
+    cspDirectives['media-src'] += ' http://' + devServer
+    cspDirectives['frame-src'] += ' http://' + devServer
+    cspDirectives['style-src'] += ' http://' + devServer
   }
 
   return {