feature (transcoding): update csp

server/middleware/http.go

@@ -48,7 +48,7 @@ func IndexHeaders(fn func(App, http.ResponseWriter, *http.Request)) func(ctx App
 		header.Set("X-Frame-Options", "DENY")
 		header.Set("X-Powered-By", fmt.Sprintf("Filestash/%s.%s <https://filestash.app>", APP_VERSION, BUILD_DATE))
 
-		cspHeader := "default-src 'none'; style-src 'unsafe-inline'; font-src 'self' data:; manifest-src 'self'; script-src 'self' 'sha256-JNAde5CZQqXtYRLUk8CGgyJXo6C7Zs1lXPPClLM1YM4=' 'sha256-9/gQeQaAmVkFStl6tfCbHXn8mr6PgtxlH+hEp685lzY='; img-src 'self' data: https://maps.wikimedia.org; connect-src 'self'; object-src 'self'; media-src 'self'; worker-src 'self'; form-action 'self'; base-uri 'self';"
+		cspHeader := "default-src 'none'; style-src 'unsafe-inline'; font-src 'self' data:; manifest-src 'self'; script-src 'self' 'sha256-JNAde5CZQqXtYRLUk8CGgyJXo6C7Zs1lXPPClLM1YM4=' 'sha256-9/gQeQaAmVkFStl6tfCbHXn8mr6PgtxlH+hEp685lzY='; img-src 'self' data: https://maps.wikimedia.org; connect-src 'self'; object-src 'self'; media-src 'self' blob:; worker-src 'self' blob:; form-action 'self'; base-uri 'self';"
 		if allowedDomainsForIframe := Config.Get("features.protection.iframe").Schema(func(f *FormElement) *FormElement{
 			if f == nil {
 				f = &FormElement{}

server/plugin/plg_video_transcoder/index.go

@@ -136,6 +136,7 @@ func hls_playlist(reader io.ReadCloser, ctx *App, res *http.ResponseWriter, req
 		response += fmt.Sprintf("/hls/hls_%d.ts?path=%s\n", i, cacheName)
 	}
 	response += "#EXT-X-ENDLIST\n"
+	(*res).Header().Set("Content-Type", "application/x-mpegURL")
 	return NewReadCloserFromBytes([]byte(response)), nil
 }