From f9b1e16e3a14240c1c13d14cedc54cd116eed176 Mon Sep 17 00:00:00 2001 From: hobokenchicken Date: Mon, 6 Jul 2026 12:20:53 +0000 Subject: [PATCH] fix(webrtc): configure external TURN server and update CSP to allow inline scripts --- docker/livekit.yaml | 6 ++++++ internal/middleware/security.go | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/docker/livekit.yaml b/docker/livekit.yaml index a6bcf6e..ef50a52 100644 --- a/docker/livekit.yaml +++ b/docker/livekit.yaml @@ -5,6 +5,12 @@ rtc: use_external_ip: true port_range_start: 50000 port_range_end: 50100 + turn_servers: + - host: turn.dustin.coffee + port: 443 + protocol: tls + username: V8S6EWOU1Lqp + credential: jQRJztgWbqDn9vjMUhHZg1ooxuhiBjhk turn: enabled: false keys: diff --git a/internal/middleware/security.go b/internal/middleware/security.go index 81b87da..e242189 100644 --- a/internal/middleware/security.go +++ b/internal/middleware/security.go @@ -11,7 +11,7 @@ func SecurityHeaders(next http.Handler) http.Handler { w.Header().Set("X-Frame-Options", "DENY") w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin") w.Header().Set("Content-Security-Policy", - "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; "+ + "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; "+ "img-src 'self' https: data:; connect-src 'self' wss: ws:; font-src 'self';") w.Header().Set("Permissions-Policy", "camera=(), microphone=(self), geolocation=()") next.ServeHTTP(w, r)