oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove limitations for img, font, media, style src in raw mode

Browse source
This commit is contained in:
shortcutme 2019-10-28 16:42:28 +01:00
parent e1d92bf0ec
commit 24ba2a150b
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/Ui/UiRequest.py
View file

@ -280,7 +280,7 @@ class UiRequest(object):
headers["Access-Control-Allow-Origin"] = "*" # Allow load font files from css headers["Access-Control-Allow-Origin"] = "*" # Allow load font files from css
if noscript: if noscript:
headers["Content-Security-Policy"] = "default-src 'none'; sandbox allow-top-navigation allow-forms; img-src 'self'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline';" headers["Content-Security-Policy"] = "default-src 'none'; sandbox allow-top-navigation allow-forms; img-src *; font-src * data:; media-src *; style-src * 'unsafe-inline';"
elif script_nonce and self.isScriptNonceSupported(): elif script_nonce and self.isScriptNonceSupported():
headers["Content-Security-Policy"] = "default-src 'none'; script-src 'nonce-{0}'; img-src 'self' blob:; style-src 'self' blob: 'unsafe-inline'; connect-src *; frame-src 'self' blob:".format(script_nonce) headers["Content-Security-Policy"] = "default-src 'none'; script-src 'nonce-{0}'; img-src 'self' blob:; style-src 'self' blob: 'unsafe-inline'; connect-src *; frame-src 'self' blob:".format(script_nonce)