From 92798abb5d2731d6336da907113f2af407944f6d Mon Sep 17 00:00:00 2001
From: Omar Roth <omarroth@protonmail.com>
Date: Thu, 19 Mar 2020 13:37:22 -0500
Subject: [PATCH] Add manifest-src to CSP

---
 src/invidious.cr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/invidious.cr b/src/invidious.cr
index 800af0dd..73546d7d 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -261,7 +261,7 @@ before_all do |env|
     extra_media_csp += " https://*.googlevideo.com:443"
   end
   # TODO: Remove style-src's 'unsafe-inline', requires to remove all inline styles (<style> [..] </style>, style=" [..] ")
-  env.response.headers["Content-Security-Policy"] = "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; media-src 'self' blob:#{extra_media_csp}"
+  env.response.headers["Content-Security-Policy"] = "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; manifest-src 'self'; media-src 'self' blob:#{extra_media_csp}"
   env.response.headers["Referrer-Policy"] = "same-origin"
 
   if (Kemal.config.ssl || config.https_only) && config.hsts