From dab4fc44ea7d19c261bccd0165a73d60ddc95913 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Astori?= <jeremie@astori.fr>
Date: Wed, 27 Dec 2017 13:56:38 -0500
Subject: [PATCH] Make sure data URIs are allowed by CSP not to block video
 controls

---
 src/server.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/server.js b/src/server.js
index 1522f77a..beed5d34 100644
--- a/src/server.js
+++ b/src/server.js
@@ -217,11 +217,13 @@ function index(req, res, next) {
 	];
 
 	// If prefetch is enabled, but storage is not, we have to allow mixed content
+	// - https://user-images.githubusercontent.com is where we currently push our changelog screenshots
+	// - data: is required for the HTML5 video player
 	if (Helper.config.prefetchStorage || !Helper.config.prefetch) {
-		policies.push("img-src 'self' https://user-images.githubusercontent.com");
+		policies.push("img-src 'self' data: https://user-images.githubusercontent.com");
 		policies.unshift("block-all-mixed-content");
 	} else {
-		policies.push("img-src http: https:");
+		policies.push("img-src http: https: data:");
 	}
 
 	res.setHeader("Content-Type", "text/html");