4 files changed, 7 insertions, 0 deletions

diff --git a/config.json b/config.json
index 9189bde..357c47b 100644
--- a/config.json
+++ b/config.json
@@ -142,6 +142,9 @@
         "'self'",
         "'unsafe-inline'",
         "http://preview.test"
+      ],
+      "connectsrc": [
+        "'self'"
       ]
     }
   },
diff --git a/config.toml b/config.toml
index c16f72e..676c81e 100644
--- a/config.toml
+++ b/config.toml
@@ -103,6 +103,7 @@ enableRobotsTXT = true
     scriptsrc = ["'self'", "s.imgur.com", "platform.twitter.com"]
     scriptsrcelem = ["'self'", "s.imgur.com", "platform.twitter.com"]
     stylesrc = ["'self'", "'unsafe-inline'", "http://preview.test"]
+    connectsrc = ["'self'"]
 
 [outputFormats]
 
diff --git a/config.yaml b/config.yaml
index c95c1dc..5842f8f 100644
--- a/config.yaml
+++ b/config.yaml
@@ -89,6 +89,7 @@ params:
     scriptsrc: ["'self'", s.imgur.com, platform.twitter.com]
     scriptsrcelem: ["'self'", s.imgur.com, platform.twitter.com]
     stylesrc: ["'self'", "'unsafe-inline'", http://preview.test]
+    connectsrc: ["'self'"]
 
 outputFormats:
   html:
diff --git a/themes/default/layouts/partials/csp.html b/themes/default/layouts/partials/csp.html
index 81a6af6..62489ec 100644
--- a/themes/default/layouts/partials/csp.html
+++ b/themes/default/layouts/partials/csp.html
@@ -15,6 +15,7 @@
     block-all-mixed-content;
     default-src     'self';
     child-src       %s;
+    connect-src     %s;
     font-src        %s;
     form-action     %s;
     frame-src       %s;
@@ -28,6 +29,7 @@
   ">`
     ($upgrade)
     (delimit .Site.Params.csp.childsrc      " ")
+    (delimit .Site.Params.csp.connectsrc    " ")
     (delimit .Site.Params.csp.fontsrc       " ")
     (delimit .Site.Params.csp.formaction    " ")
     (delimit .Site.Params.csp.framesrc      " ")