Fix CSP for cloudfront media

api/comments.go

@@ -55,6 +55,9 @@ func ParseComment(data gjson.Result) types.Comment {
 	deletedAt, _ := utils.FormatDate(data.Get("deleted_at").String())
 
 	userAvatar := strings.ReplaceAll(data.Get("account.avatar").String(), "https://i.imgur.com", "")
+	if viper.GetBool("CF_ALL_MEDIA") {
+		userAvatar = viper.GetString("CF_MEDIA_DISTRIBUTION") + userAvatar
+	}
 
 	wg := sync.WaitGroup{}
 	comments := make([]types.Comment, 0)

pages/gallery.go

@@ -9,7 +9,7 @@ import (
 
 func HandleGallery(c *fiber.Ctx) error {
 	utils.SetHeaders(c)
-	c.Set("Content-Security-Policy", "default-src 'none'; media-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; block-all-mixed-content")
+	c.Set("Content-Security-Policy", "default-src 'none'; style-src 'self'; media-src 'self' *.cloudfront.net; img-src 'self' *.cloudfront.net; font-src 'self'; block-all-mixed-content")
 
 	album, err := api.FetchAlbum(c.Params("galleryID"))
 	if err != nil {

pages/user.go

@@ -12,7 +12,7 @@ import (
 func HandleUser(c *fiber.Ctx) error {
 	utils.SetHeaders(c)
 	c.Set("Cache-Control", "public,max-age=604800")
-	c.Set("Content-Security-Policy", "default-src 'none'; media-src 'self'; style-src 'unsafe-inline' 'self'; img-src 'self'; font-src 'self'; block-all-mixed-content")
+	c.Set("Content-Security-Policy", "default-src 'none'; style-src 'self' 'unsafe-inline'; media-src 'self' *.cloudfront.net; img-src 'self' *.cloudfront.net; font-src 'self'; block-all-mixed-content")
 
 	wg := sync.WaitGroup{}
 	wg.Add(2)