grgr.me

commit 48b3ec1b0b26bab3949c00b0499a81599fda4b51
parent 1d8f02759354ffc452959914e9f05e3003e08e25
Author: corndog <cauchyn@firemail.cc>
Date:   Thu, 27 Sep 2018 20:40:24 -0700

Simple CSP fix

MDN lied to me and said allowfullscreen is
deprecated, but allow="fullscreen" does not work
at all.

Diffstat:
Caddyfile
 | 
2
+-
in/me/index.md
 | 
2
++

2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/Caddyfile b/Caddyfile
@@ -12,7 +12,7 @@ grgr.me {
   browse /sits/releases
   ext .html .txt
   header / {
-    Content-Security-Policy "default-src 'self' *.grgr.me; img-src img.youtube.com; media-src youtube.com"
+    Content-Security-Policy "default-src 'self' https: 'unsafe-eval' 'unsafe-inline'"
     Referrer-Policy "same-origin"
     X-Frame-Options "DENY"
   }
diff --git a/in/me/index.md b/in/me/index.md
@@ -8,7 +8,9 @@ description: Some things I like.
                 const url = "https://www.youtube.com/embed/" + id;
                 const iframe = document.createElement('iframe');
                 iframe.setAttribute("src", url);
+                iframe.setAttribute("allow", "encrypted-media");
                 iframe.setAttribute("allow", "fullscreen");
+                iframe.setAttribute("allowfullscreen", true);
                 const div = document.getElementById(id);
                 if (!div.hasChildNodes()) {
                     div.appendChild(iframe);