From e4819c175307fa8d65ba8c64716bd94319c0a55a Mon Sep 17 00:00:00 2001 From: shortcutme Date: Mon, 10 Dec 2018 02:29:21 +0100 Subject: [PATCH] Rev3738, More strict csp, No csp on Edge Edge does not supports nonce on external scripts --- src/Config.py | 2 +- src/Ui/UiRequest.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Config.py b/src/Config.py index 7d10612f..00ed7b17 100644 --- a/src/Config.py +++ b/src/Config.py @@ -13,7 +13,7 @@ class Config(object): def __init__(self, argv): self.version = "0.6.4" - self.rev = 3737 + self.rev = 3738 self.argv = argv self.action = None self.pending_changes = {} diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py index 2dc06cc0..ade3f4f2 100644 --- a/src/Ui/UiRequest.py +++ b/src/Ui/UiRequest.py @@ -234,8 +234,8 @@ class UiRequest(object): if noscript: headers["Content-Security-Policy"] = "default-src 'none'; sandbox allow-top-navigation allow-forms; img-src 'self'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline';" - elif script_nonce: - headers["Content-Security-Policy"] = "script-src 'nonce-%s'" % script_nonce + elif script_nonce and "Edge/" not in self.env.get("HTTP_USER_AGENT"): + headers["Content-Security-Policy"] = "default-src 'none'; script-src 'nonce-{0}'; img-src 'self'; style-src 'self' 'unsafe-inline'; connect-src *; frame-src 'self'".format(script_nonce) if allow_ajax: headers["Access-Control-Allow-Origin"] = "null"