Spaces:
Running
Running
AuthorBot commited on
Commit ·
5ae645d
1
Parent(s): b9169bd
Fix: CSP expanded to allow Google Fonts and jsdelivr CDN used by admin SPA
Browse files
app/middleware/security_headers.py
CHANGED
|
@@ -34,9 +34,13 @@ class SecurityHeadersMiddleware:
|
|
| 34 |
(b"permissions-policy", b"camera=(), microphone=(), geolocation=(), payment=()"),
|
| 35 |
# R-043: CSP — primary XSS defense
|
| 36 |
(b"content-security-policy",
|
| 37 |
-
b"default-src 'self';
|
| 38 |
-
b"
|
| 39 |
-
b"
|
|
|
|
|
|
|
|
|
|
|
|
|
| 40 |
]
|
| 41 |
if use_hsts:
|
| 42 |
security_headers.insert(
|
|
|
|
| 34 |
(b"permissions-policy", b"camera=(), microphone=(), geolocation=(), payment=()"),
|
| 35 |
# R-043: CSP — primary XSS defense
|
| 36 |
(b"content-security-policy",
|
| 37 |
+
b"default-src 'self'; "
|
| 38 |
+
b"script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
|
| 39 |
+
b"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; "
|
| 40 |
+
b"font-src 'self' https://fonts.gstatic.com; "
|
| 41 |
+
b"img-src 'self' data: https:; "
|
| 42 |
+
b"connect-src 'self' https://api.openai.com; "
|
| 43 |
+
b"frame-ancestors 'none'"),
|
| 44 |
]
|
| 45 |
if use_hsts:
|
| 46 |
security_headers.insert(
|