AuthorBot commited on
Commit
5ae645d
·
1 Parent(s): b9169bd

Fix: CSP expanded to allow Google Fonts and jsdelivr CDN used by admin SPA

Browse files
Files changed (1) hide show
  1. app/middleware/security_headers.py +7 -3
app/middleware/security_headers.py CHANGED
@@ -34,9 +34,13 @@ class SecurityHeadersMiddleware:
34
  (b"permissions-policy", b"camera=(), microphone=(), geolocation=(), payment=()"),
35
  # R-043: CSP — primary XSS defense
36
  (b"content-security-policy",
37
- b"default-src 'self'; script-src 'self' 'unsafe-inline'; "
38
- b"style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; "
39
- b"connect-src 'self' https://api.openai.com; frame-ancestors 'none'"),
 
 
 
 
40
  ]
41
  if use_hsts:
42
  security_headers.insert(
 
34
  (b"permissions-policy", b"camera=(), microphone=(), geolocation=(), payment=()"),
35
  # R-043: CSP — primary XSS defense
36
  (b"content-security-policy",
37
+ b"default-src 'self'; "
38
+ b"script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
39
+ b"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; "
40
+ b"font-src 'self' https://fonts.gstatic.com; "
41
+ b"img-src 'self' data: https:; "
42
+ b"connect-src 'self' https://api.openai.com; "
43
+ b"frame-ancestors 'none'"),
44
  ]
45
  if use_hsts:
46
  security_headers.insert(