From 58a14c4ab0e586e921759e0a3dbc6932bbcc6531 Mon Sep 17 00:00:00 2001
From: hiromi-mi <hiromi-mi@cat.zaq.jp>
Date: Sat, 20 Jun 2020 08:51:09 +0900
Subject: [PATCH] To use nonce csp should include script-src: self, style-src:
 self

---
 app.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/app.py b/app.py
index 732e56d..976acdb 100644
--- a/app.py
+++ b/app.py
@@ -100,14 +100,15 @@ csrf.init_app(app)
 
 csp = {
     "default-src": "'self'",
-    "script-src": "'self'",
     "style-src-attr": "'unsafe-inline'",
+    "script-src": "'self'", # to use nonce
+    "style-src": "'self'", # to use nonce
 }
 
 talisman = Talisman(
     app,
     content_security_policy=csp,
-    force_https=False,
+    force_https=False, # internal requests like /tasks/* are sent over HTTP
     content_security_policy_nonce_in=["script-src", "style-src"],
 )