[BUGFIX] Relax CSP for trusted-types (#1036)

This will need to be revisited to re-introduce trusted-types when we have a clear handle on all the libraries and their implementation to support this.
This commit is contained in:
Amir Zarrinkafsh 2020-05-21 13:16:37 +10:00 committed by GitHub
parent fcd0b5e46a
commit 7488206195
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -36,7 +36,7 @@ func ServeIndex(publicDir, base string) fasthttp.RequestHandler {
nonce := utils.RandomString(32, alphaNumericRunes)
ctx.SetContentType("text/html; charset=utf-8")
ctx.Response.Header.Add("Content-Security-Policy", fmt.Sprintf("default-src 'self'; object-src 'none'; require-trusted-types-for 'script'; style-src 'self' 'nonce-%s'", nonce))
ctx.Response.Header.Add("Content-Security-Policy", fmt.Sprintf("default-src 'self'; object-src 'none'; style-src 'self' 'nonce-%s'", nonce))
err := tmpl.Execute(ctx.Response.BodyWriter(), struct{ CSPNonce, Base string }{CSPNonce: nonce, Base: base})
if err != nil {