Skip to content

Commit

Permalink
Remove unsafe-inline fallback
Browse files Browse the repository at this point in the history 
Unnecessary. We do not want to support older browsers.
  • Loading branch information
@np5
np5 committed Jun 1, 2024
1 parent aef7978 commit cd84e1f
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion server/base/middlewares.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
DEFAULT_CSP_POLICIES = {
"default-src": "'self'",
"img-src": "'self' https://*.mzstatic.com",
"script-src": "'self' 'unsafe-inline'", # unsafe-inline ignored when nonce-* is supported
"script-src": "'self'",
"base-uri": "'none'",
"frame-ancestors": "'none'",
"object-src": "'none'",
Expand Down
2 changes: 1 addition & 1 deletion tests/server_base/test_index.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ def test_index_get(self):
self.assertEqual(response.status_code, 200)
self.assertTemplateUsed(response, "base/index.html")
self.assertIn(";object-src 'none';", response["Content-Security-Policy"])
self.assertIn(";script-src 'self' 'unsafe-inline' 'nonce-", response["Content-Security-Policy"])
self.assertIn(";script-src 'self' 'nonce-", response["Content-Security-Policy"])
self.assertNotIn("unsafe-eval", response["Content-Security-Policy"])

# extra links
Expand Down

0 comments on commit cd84e1f

Please sign in to comment.