From f0929c6bab1be1c03f37657bb8d58f398d0c5c1f Mon Sep 17 00:00:00 2001
From: hiromi-mi <hiromi-mi@cat.zaq.jp>
Date: Sat, 20 Jun 2020 09:50:32 +0900
Subject: [PATCH] csp: support old browsers without style-src-attr

---
 app.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/app.py b/app.py
index 976acdb..8a7a8c4 100644
--- a/app.py
+++ b/app.py
@@ -101,14 +101,15 @@ csrf.init_app(app)
 csp = {
     "default-src": "'self'",
     "style-src-attr": "'unsafe-inline'",
-    "script-src": "'self'", # to use nonce
-    "style-src": "'self'", # to use nonce
+    "script-src": "'self'",  # to use nonce
+    "style-src": "'unsafe-inline'",  # for old browsers without support style-src-attr
+    "style-src-elem": "'self'",
 }
 
 talisman = Talisman(
     app,
     content_security_policy=csp,
-    force_https=False, # internal requests like /tasks/* are sent over HTTP
+    force_https=False,  # internal requests like /tasks/* are sent over HTTP
     content_security_policy_nonce_in=["script-src", "style-src"],
 )