Rev3738, More strict csp, No csp on Edge
Edge does not supports nonce on external scripts
This commit is contained in:
parent
e8e0a19758
commit
e4819c1753
2 changed files with 3 additions and 3 deletions
|
@ -13,7 +13,7 @@ class Config(object):
|
|||
|
||||
def __init__(self, argv):
|
||||
self.version = "0.6.4"
|
||||
self.rev = 3737
|
||||
self.rev = 3738
|
||||
self.argv = argv
|
||||
self.action = None
|
||||
self.pending_changes = {}
|
||||
|
|
|
@ -234,8 +234,8 @@ class UiRequest(object):
|
|||
|
||||
if noscript:
|
||||
headers["Content-Security-Policy"] = "default-src 'none'; sandbox allow-top-navigation allow-forms; img-src 'self'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline';"
|
||||
elif script_nonce:
|
||||
headers["Content-Security-Policy"] = "script-src 'nonce-%s'" % script_nonce
|
||||
elif script_nonce and "Edge/" not in self.env.get("HTTP_USER_AGENT"):
|
||||
headers["Content-Security-Policy"] = "default-src 'none'; script-src 'nonce-{0}'; img-src 'self'; style-src 'self' 'unsafe-inline'; connect-src *; frame-src 'self'".format(script_nonce)
|
||||
|
||||
if allow_ajax:
|
||||
headers["Access-Control-Allow-Origin"] = "null"
|
||||
|
|
Loading…
Reference in a new issue