Verified Commit 9faa7b80 authored by Kevin Morris's avatar Kevin Morris
Browse files

feat: add cdn.jsdelivr.net to script/style CSP



Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
parent df0a4a2b
Pipeline #28799 passed with stages
in 3 minutes and 30 seconds
......@@ -253,10 +253,14 @@ async def add_security_headers(request: Request, call_next: typing.Callable):
# Add CSP header.
nonce = request.user.nonce
csp = "default-src 'self'; "
script_hosts = []
# swagger-ui needs access to cdn.jsdelivr.net javascript
script_hosts = ["cdn.jsdelivr.net"]
csp += f"script-src 'self' 'nonce-{nonce}' " + " ".join(script_hosts)
# It's fine if css is inlined.
csp += "; style-src 'self' 'unsafe-inline'"
# swagger-ui needs access to cdn.jsdelivr.net css
css_hosts = ["cdn.jsdelivr.net"]
csp += "; style-src 'self' 'unsafe-inline' " + " ".join(css_hosts)
response.headers["Content-Security-Policy"] = csp
# Add XTCO header.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment