Add blob to frame-src in CSP for iD

[rails.git] / app / controllers / site_controller.rb

diff --git a/app/controllers/site_controller.rb b/app/controllers/site_controller.rb
index 1fc916e7f8436c3f3a22d6742c5ffc1395ee3932..52fea613366684808f424ff04b094353ef7e996d 100644 (file)
--- a/app/controllers/site_controller.rb
+++ b/app/controllers/site_controller.rb
@@ -75,6 +75,10 @@ class SiteController < ApplicationController
         :plugin_types => %w[application/x-shockwave-flash],
         :script_src => %w['unsafe-inline']
       )
+    elsif %w[id].include?(editor)
+      append_content_security_policy_directives(
+        :frame_src => %w[blob:]
+      )
     end
 
     begin