Tweaked the content security policy a little.
This commit is contained in:
parent
f41a5dd943
commit
4d1f80edab
@ -29,7 +29,7 @@ func renderTemplate(tmplName string, w http.ResponseWriter, r *http.Request, hea
|
||||
}
|
||||
// TODO: Expand this to non-HTTPS requests too
|
||||
if !header.LooseCSP && common.Site.EnableSsl {
|
||||
w.Header().Set("Content-Security-Policy", "default-src https: 'unsafe-eval'; style-src https: 'unsafe-eval' 'unsafe-inline'; img-src * 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; upgrade-insecure-requests")
|
||||
w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src * data: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; upgrade-insecure-requests")
|
||||
}
|
||||
if header.CurrentUser.IsAdmin {
|
||||
header.Elapsed1 = time.Since(header.StartedAt).String()
|
||||
|
Loading…
Reference in New Issue
Block a user