Support media-src

[juergenzimmermann]

Please see http://www.html5rocks.com/en/tutorials/security/content-security-policy/

[EvanHahn]

I made a sample app that uses media-src and it appears to work for me. Does this not work for you?

app.use(helmet.csp({
  directives: {
    mediaSrc: ['media.example.com']
  }
}))

Are you using the latest version of helmet (and/or helmet-csp)?

[juergenzimmermann]

Yes, I'm using the latest version of helmet - together with TypeScript. Due to TypeScript I'm also using helmet.d.ts and get this error message:
Type '{ defaultSrc: string[]; mediaSrc: string[]; }' is not assignable to type 'IHelmetCspDirectives'. Object literal may only specify known properties, and 'mediaSrc' does not exist in type 'IHelmetCspDirectives'.
The problem seems to be at https://github.com/DefinitelyTyped/DefinitelyTyped/blob/master/helmet/helmet.d.ts#L11

[EvanHahn]

This looks like a problem in DefinitelyTyped. Is it okay if I close the issue here because this is not a problem with Helmet?

I'd like to submit a PR to DefinitelyTyped to improve their type definitions, but that isn't exactly part of Helmet.

[juergenzimmermann]

Yes, I also think it's a Problem of DefinitelyTyped.
I highly appreciate if you'd submit a PR to DefinitelyTyped.

[EvanHahn]

I'll close this issue. I'll take a look at DefinitelyTyped and see if I can make a PR.

[EvanHahn]

Made a PR (DefinitelyTyped/DefinitelyTyped#8820) for csp. I also made another for the xssFilter middleware (DefinitelyTyped/DefinitelyTyped#8818).

[EvanHahn]

Both of my PRs were merged! @juergenzimmermann, hope this helps.

[juergenzimmermann]

@EvanHahn, thank you very much for your efforts.