external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

aurweb.asgi: Allow unsafe-inline style-src in CSP

Browse source 
Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2021-06-26 04:13:28 -07:00
parent 85ba4a33a8
commit bfffdd4d91
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
aurweb/asgi.py
View file

@ -88,6 +88,8 @@ async def add_security_headers(request: Request, call_next: typing.Callable):
"cdn.jsdelivr.net" "cdn.jsdelivr.net"
] ]
csp += f"script-src 'self' 'nonce-{nonce}' " + ' '.join(script_hosts) csp += f"script-src 'self' 'nonce-{nonce}' " + ' '.join(script_hosts)
# It's fine if css is inlined.
csp += f"; style-src 'self' 'unsafe-inline'"
response.headers["Content-Security-Policy"] = csp response.headers["Content-Security-Policy"] = csp
# Add XTCO header. # Add XTCO header.