Fix disqus CSP

SISheogorath · SISheogorath · commit ecee16bd737b · 2018-12-05T13:17:14.000+01:00
Disqus loads it's embed config.js from its root domain (https://disqus.com). Our CSPs only allow subdomains (e.g.: https://codimd.disqus.com). This causes the disqus embedding to fail. This patch should fix this problem by adding https://disqus.com to the CSP setting. From a security perspective there is no real change. Since still the same parties are involved. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
diff --git a/lib/csp.js b/lib/csp.js
@@ -23,7 +23,7 @@ var cdnDirectives = {
 }
 
 var disqusDirectives = {
-  scriptSrc: ['https://*.disqus.com', 'https://*.disquscdn.com'],
+  scriptSrc: ['https://disqus.com', 'https://*.disqus.com', 'https://*.disquscdn.com'],
   styleSrc: ['https://*.disquscdn.com'],
   fontSrc: ['https://*.disquscdn.com']
 }

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ var cdnDirectives = {`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`var disqusDirectives = {`
`26`		`- scriptSrc: ['https://.disqus.com', 'https://.disquscdn.com'],`
	`26`	`+ scriptSrc: ['https://disqus.com', 'https://.disqus.com', 'https://.disquscdn.com'],`
`27`	`27`	`styleSrc: ['https://*.disquscdn.com'],`
`28`	`28`	`fontSrc: ['https://*.disquscdn.com']`
`29`	`29`	`}`