Verified Commit adc3a218 authored by Kevin Morris's avatar Kevin Morris
Browse files

fix: add 'unsafe-inline' to script-src CSP



swagger-ui uses inline javascript to bootstrap itself, so we need to
allow unsafe inline because we can't give swagger-ui a nonce to embed.

Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
parent 37c7dee0
......@@ -256,7 +256,9 @@ async def add_security_headers(request: Request, call_next: typing.Callable):
# swagger-ui needs access to cdn.jsdelivr.net javascript
script_hosts = ["cdn.jsdelivr.net"]
csp += f"script-src 'self' 'nonce-{nonce}' " + " ".join(script_hosts)
csp += f"script-src 'self' 'unsafe-inline' 'nonce-{nonce}' " + " ".join(
script_hosts
)
# swagger-ui needs access to cdn.jsdelivr.net css
css_hosts = ["cdn.jsdelivr.net"]
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment