make CSP even a little bit more restrictive

config/environment.js

@@ -17,9 +17,9 @@ module.exports = function(environment) {
       'script-src': "'self'",
       'font-src': "'self'",
       'connect-src': "'self'",
-      'img-src': "'self'",
+      'img-src': "'none'",
       'style-src': "'self'",
-      'media-src': "'self'",
+      'media-src': "'none'",
       'referrer': "no-referrer"
     },
 

package.json

@@ -39,7 +39,7 @@
     "ember-cli-build-info": "^0.2.0",
     "ember-cli-chart": "git://github.com/jelhan/ember-cli-chart.git#52ae694db579df94e0ef057d2cf7d6d96c61f78f",
     "ember-cli-clipboard": "0.4.1",
-    "ember-cli-content-security-policy": "0.4.0",
+    "ember-cli-content-security-policy": "0.5.0",
     "ember-cli-dependency-checker": "^1.2.0",
     "ember-cli-flash": "1.3.16",
     "ember-cli-htmlbars": "^1.0.1",

public/.htaccess

@@ -1,5 +1,5 @@
 # Content Security Policy-Headers
 # you have to enable apache module headers to get them working
-#Header set Content-Security-Policy "default-src 'none'; script-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; referrer no-referrer;"
-#Header set X-Content-Security-Policy "default-src 'none'; script-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; referrer no-referrer;"
-#Header set X-Webkit-CSP "default-src 'none'; script-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; referrer no-referrer;"
+#Header set Content-Security-Policy "default-src 'none'; script-src 'self'; font-src 'self'; connect-src 'self'; style-src 'self'; referrer no-referrer;"
+#Header set X-Content-Security-Policy "default-src 'none'; script-src 'self'; font-src 'self'; connect-src 'self'; style-src 'self'; referrer no-referrer;"
+#Header set X-Webkit-CSP "default-src 'none'; script-src 'self'; font-src 'self'; connect-src 'self'; style-src 'self'; referrer no-referrer;"