fix(mukke): add media-src to CSP for audio playback from MinIO

Add mediaSrc option to shared security headers and configure mukke to allow audio loading from minio.mana.how (S3 presigned URLs). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-14 20:01:09 +02:00 · 2026-03-23 09:40:56 +01:00 · 2026-03-23 09:40:56 +01:00 · 807c5da26e
commit 807c5da26e
parent ae0ba94fce
3 changed files with 42 additions and 2 deletions
--- a/packages/shared-utils/src/security-headers.ts
+++ b/packages/shared-utils/src/security-headers.ts
@ -25,6 +25,8 @@ interface SecurityHeadersOptions {
 	imgSrc?: string[];
 	/** Additional font-src origins */
 	fontSrc?: string[];
+	/** Additional media-src origins (audio/video sources) */
+	mediaSrc?: string[];
 	/** Override frame-ancestors (default: 'none') */
 	frameAncestors?: string;
 }
@ -39,6 +41,7 @@ export function setSecurityHeaders(response: Response, options: SecurityHeadersO
 		scriptSrc = [],
 		imgSrc = [],
 		fontSrc = [],
+		mediaSrc = [],
 		frameAncestors = "'none'",
 	} = options;

@ -56,11 +59,12 @@ export function setSecurityHeaders(response: Response, options: SecurityHeadersO
 		`img-src 'self' data: https: ${imgSrc.join(' ')}`.trim(),
 		`connect-src 'self' https://stats.mana.how https://glitchtip.mana.how ${connectSrc.join(' ')}`.trim(),
 		`font-src 'self' ${fontSrc.join(' ')}`.trim(),
+		mediaSrc.length > 0 ? `media-src 'self' ${mediaSrc.join(' ')}`.trim() : '',
 		"object-src 'none'",
 		"base-uri 'self'",
 		"form-action 'self'",
 		`frame-ancestors ${frameAncestors}`,
 	];

-	response.headers.set('Content-Security-Policy', cspDirectives.join('; '));
+	response.headers.set('Content-Security-Policy', cspDirectives.filter(Boolean).join('; '));
 }