Embedded videos are not showed due to content security policy

[milad2golnia]

Describe the bug When I paste a video link inside Media Embed field it is not showed in ckeditor and in console I see this message:

Content Security Policy: The page’s settings blocked the loading of a resource at https://www.youtube.com/embed/SZLiCyA5SFQ (“default-src”).

Here is my security configurations:

export default [
  'strapi::errors',
  // 'strapi::security',
  'strapi::cors',
  'strapi::poweredBy',
  'strapi::logger',
  'strapi::query',
  'strapi::body',
  'strapi::session',
  'strapi::favicon',
  'strapi::public',
  {
    name: 'strapi::security',
    config: {
      contentSecurityPolicy: {
        useDefaults: true,
        directives: {
          'connect-src': ["'self'", 'https:'],
          "default-src": [
            "'self'",
            "data:",
            "blob:",
            "www.youtube.com",
          ],
          'img-src': [
            "'self'",
            'data:',
            'blob:',
            'market-assets.strapi.io',
            'minio.news.mys3bucket.com'
          ],
          'media-src': [
            "'self'",
            'data:',
            'blob:',
            "www.youtube.com",
            'market-assets.strapi.io', 
            'minio.news.mys3bucket.com',
          ],
          "frame-src": [
            "'self'",
            "data:",
            "blob:",
            "www.youtube.com",
          ],
          upgradeInsecureRequests: null
        }
      }
    }
  }
];

[DHFW]

I included the following in the directives object which removed the CSP error.

          "media-src": [
            "'self'",
            "data:",
            "blob:", 
            "https://www.youtube.com/",
          ],
          "frame-src": ["https://www.youtube.com/"],

[LucaNerlich]

just only add 'youtube.com'. Leave out the protocol and subdomains.

[thewickest]

I'm having the same issue but these two configs are not working for me. Any update on this? I'm using the v2.1.0 with Strapi 4.22