Add support for signed URLs used by the render_file function

config/initializers/content_security_policy.rb

@@ -38,6 +38,7 @@ Rails.application.config.content_security_policy do |policy|
   # Code executions might return a base64 encoded image as a :data URI
   policy.img_src              :self, :data
   policy.object_src           :none
+  policy.media_src            :self
   policy.script_src           :self, :report_sample
   # Our ACE editor unfortunately requires :unsafe_inline for the code highlighting
   policy.style_src            :self, :unsafe_inline, :report_sample