Loosen the CSP a little for images.

This commit is contained in:
Azareal 2019-02-28 18:11:29 +10:00
parent a4b579d75d
commit ae8485391b
1 changed files with 1 additions and 1 deletions

View File

@ -29,7 +29,7 @@ func renderTemplate(tmplName string, w http.ResponseWriter, r *http.Request, hea
}
// TODO: Expand this to non-HTTPS requests too
if !header.LooseCSP && common.Site.EnableSsl {
w.Header().Set("Content-Security-Policy", "default-src https: 'unsafe-eval'; style-src https: 'unsafe-eval' 'unsafe-inline'; img-src https: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; upgrade-insecure-requests")
w.Header().Set("Content-Security-Policy", "default-src https: 'unsafe-eval'; style-src https: 'unsafe-eval' 'unsafe-inline'; img-src * 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; upgrade-insecure-requests")
}
if header.CurrentUser.IsAdmin {
header.Elapsed1 = time.Since(header.StartedAt).String()