Merge remote-tracking branch 'csp/patch-2'
This commit is contained in:
commit
5b5146a793
|
@ -91,10 +91,10 @@ def add_security_headers(resp):
|
||||||
if request.endpoint == "edit-book.show_edit_book" or config.config_use_google_drive:
|
if request.endpoint == "edit-book.show_edit_book" or config.config_use_google_drive:
|
||||||
csp += " *;"
|
csp += " *;"
|
||||||
elif request.endpoint == "web.read_book":
|
elif request.endpoint == "web.read_book":
|
||||||
csp += " style-src-elem 'self' blob: 'unsafe-inline';"
|
csp += " blob:; style-src-elem 'self' blob: 'unsafe-inline';"
|
||||||
else:
|
else:
|
||||||
csp += ";"
|
csp += ";"
|
||||||
csp += "object-src: 'none';"
|
csp += " object-src 'none';"
|
||||||
resp.headers['Content-Security-Policy'] = csp
|
resp.headers['Content-Security-Policy'] = csp
|
||||||
resp.headers['X-Content-Type-Options'] = 'nosniff'
|
resp.headers['X-Content-Type-Options'] = 'nosniff'
|
||||||
resp.headers['X-Frame-Options'] = 'SAMEORIGIN'
|
resp.headers['X-Frame-Options'] = 'SAMEORIGIN'
|
||||||
|
|
Loading…
Reference in New Issue
Block a user