Tweaked the content security policy a little.

This commit is contained in:
Azareal 2019-03-04 09:21:06 +10:00
parent f41a5dd943
commit 4d1f80edab

View File

@ -29,7 +29,7 @@ func renderTemplate(tmplName string, w http.ResponseWriter, r *http.Request, hea
}
// TODO: Expand this to non-HTTPS requests too
if !header.LooseCSP && common.Site.EnableSsl {
w.Header().Set("Content-Security-Policy", "default-src https: 'unsafe-eval'; style-src https: 'unsafe-eval' 'unsafe-inline'; img-src * 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; upgrade-insecure-requests")
w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src * data: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; upgrade-insecure-requests")
}
if header.CurrentUser.IsAdmin {
header.Elapsed1 = time.Since(header.StartedAt).String()