oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rev3738, More strict csp, No csp on Edge

Browse source 
Edge does not supports nonce on external scripts
This commit is contained in:
shortcutme 2018-12-10 02:29:21 +01:00
parent e8e0a19758
commit e4819c1753
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
2 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/Config.py
View file

@ -13,7 +13,7 @@ class Config(object):
def __init__(self, argv): def __init__(self, argv):
self.version = "0.6.4" self.version = "0.6.4"
self.rev = 3737 self.rev = 3738
self.argv = argv self.argv = argv
self.action = None self.action = None
self.pending_changes = {} self.pending_changes = {}

4
src/Ui/UiRequest.py
View file

@ -234,8 +234,8 @@ class UiRequest(object):
if noscript: if noscript:
headers["Content-Security-Policy"] = "default-src 'none'; sandbox allow-top-navigation allow-forms; img-src 'self'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline';" headers["Content-Security-Policy"] = "default-src 'none'; sandbox allow-top-navigation allow-forms; img-src 'self'; font-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline';"
elif script_nonce: elif script_nonce and "Edge/" not in self.env.get("HTTP_USER_AGENT"):
headers["Content-Security-Policy"] = "script-src 'nonce-%s'" % script_nonce headers["Content-Security-Policy"] = "default-src 'none'; script-src 'nonce-{0}'; img-src 'self'; style-src 'self' 'unsafe-inline'; connect-src *; frame-src 'self'".format(script_nonce)
if allow_ajax: if allow_ajax:
headers["Access-Control-Allow-Origin"] = "null" headers["Access-Control-Allow-Origin"] = "null"