vbatts/microblog.pub
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

To use nonce csp should include script-src: self, style-src: self

Browse source
This commit is contained in:
hiromi-mi 2020-06-20 08:51:09 +09:00
parent 51a424aa15
commit 58a14c4ab0
1 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
app.py
View file

@ -100,14 +100,15 @@ csrf.init_app(app)
csp = { csp = {
"default-src": "'self'", "default-src": "'self'",
"script-src": "'self'",
"style-src-attr": "'unsafe-inline'", "style-src-attr": "'unsafe-inline'",
"script-src": "'self'", # to use nonce
"style-src": "'self'", # to use nonce
} }
talisman = Talisman( talisman = Talisman(
app, app,
content_security_policy=csp, content_security_policy=csp,
force_https=False, force_https=False, # internal requests like /tasks/* are sent over HTTP
content_security_policy_nonce_in=["script-src", "style-src"], content_security_policy_nonce_in=["script-src", "style-src"],
) )