pretalx sets Content-Security-Policy, which interferes with the plugin

[Kunsi]

Pretalx itself sets a Content-Security-Policy, which disallows loading images/videos from media.ccc.de

Is there a config option I missed to set?

For now, i'm able to work around that at the reverse proxy level, but it would be nice not to have to.

# curl -I http://localhost:22060/divoc-reboot-to-respawn-2021/talk/KBURYL/
HTTP/1.1 200 OK
Server: gunicorn/20.0.4
Date: Mon, 05 Apr 2021 06:06:48 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Security-Policy: form-action 'self'; default-src 'self'; img-src 'self' data: https://www.gravatar.com; style-src 'self' 'unsafe-inline'; script-src 'self'; base-uri 'none'
X-Frame-Options: DENY
Vary: Cookie
Content-Length: 11531
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin

[rixx]

The plugin should override the frame-src CSP header for pages with videos enabled.

Apparently this mechanism broke when we added speaker pictures to talk pages, because the update of the CSP policy to include gravatar images overrides the policy update to permit the video iframe. (This is because despite its name, csp_update does not update, it just overrides. django-csp had this issue brought up in the past and decided that it works as intended.)

I pushed a fix in pretalx. Thank you for reporting the problem.