From 9faa7b801d54fb853bcb54c720ae0a3e297e0b10 Mon Sep 17 00:00:00 2001
From: Kevin Morris <kevr@0cost.org>
Date: Sun, 11 Sep 2022 15:22:10 -0700
Subject: [PATCH] feat: add cdn.jsdelivr.net to script/style CSP

Signed-off-by: Kevin Morris <kevr@0cost.org>
---
 aurweb/asgi.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/aurweb/asgi.py b/aurweb/asgi.py
index ccca3fc5..d1703c10 100644
--- a/aurweb/asgi.py
+++ b/aurweb/asgi.py
@@ -253,10 +253,14 @@ async def add_security_headers(request: Request, call_next: typing.Callable):
     # Add CSP header.
     nonce = request.user.nonce
     csp = "default-src 'self'; "
-    script_hosts = []
+
+    # swagger-ui needs access to cdn.jsdelivr.net javascript
+    script_hosts = ["cdn.jsdelivr.net"]
     csp += f"script-src 'self' 'nonce-{nonce}' " + " ".join(script_hosts)
-    # It's fine if css is inlined.
-    csp += "; style-src 'self' 'unsafe-inline'"
+
+    # swagger-ui needs access to cdn.jsdelivr.net css
+    css_hosts = ["cdn.jsdelivr.net"]
+    csp += "; style-src 'self' 'unsafe-inline' " + " ".join(css_hosts)
     response.headers["Content-Security-Policy"] = csp
 
     # Add XTCO header.