csp: support old browsers without style-src-attr

2020-06-20 09:50:32 +09:00 · 2020-06-20 09:50:32 +09:00 · f0929c6bab
commit f0929c6bab
parent 58a14c4ab0
1 changed files with 4 additions and 3 deletions
--- a/app.py
+++ b/app.py
@ -102,7 +102,8 @@ csp = {
    "default-src": "'self'",
    "style-src-attr": "'unsafe-inline'",
    "script-src": "'self'",  # to use nonce
-    "style-src": "'self'", # to use nonce
+    "style-src": "'unsafe-inline'",  # for old browsers without support style-src-attr
+    "style-src-elem": "'self'",
 }

 talisman = Talisman(