From cc65310eb86e5e47143da9ea9860efce3c3f47f2 Mon Sep 17 00:00:00 2001 From: Jeremy Jameson Date: Mon, 15 Nov 2021 18:26:03 -0700 Subject: [PATCH] Modify CSP HTTP header to allow inline styles This is required by custom components (e.g. the "Tags" partial that renders tags with various font sizes and weights) as well as Bootstrap itself: https://github.com/twbs/bootstrap/issues/25394 --- config/_default/config.toml | 2 +- static/staticwebapp.config.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/_default/config.toml b/config/_default/config.toml index 78a5e5b0..c135aa2a 100644 --- a/config/_default/config.toml +++ b/config/_default/config.toml @@ -43,5 +43,5 @@ enableGitInfo = true [[server.headers]] for = '/**' [server.headers.values] - Content-Security-Policy = "default-src 'self'; connect-src 'self' https://www.google-analytics.com; font-src 'self' data: https://cdnjs.cloudflare.com; img-src 'self' data: https://*.technologytoolbox.com; script-src 'self' 'unsafe-inline' data: https://cdnjs.cloudflare.com https://www.google-analytics.com; style-src 'self' https://cdnjs.cloudflare.com;" + Content-Security-Policy = "default-src 'self'; connect-src 'self' https://www.google-analytics.com; font-src 'self' data: https://cdnjs.cloudflare.com; img-src 'self' data: https://*.technologytoolbox.com; script-src 'self' 'unsafe-inline' data: https://cdnjs.cloudflare.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com;" X-Frame-Options = 'DENY' \ No newline at end of file diff --git a/static/staticwebapp.config.json b/static/staticwebapp.config.json index 864f5f93..5e31393f 100644 --- a/static/staticwebapp.config.json +++ b/static/staticwebapp.config.json @@ -1,6 +1,6 @@ { "globalHeaders": { - "Content-Security-Policy": "default-src 'self'; connect-src 'self' https://www.google-analytics.com; font-src 'self' data: https://cdnjs.cloudflare.com; img-src 'self' data: https://*.technologytoolbox.com; script-src 'self' 'unsafe-inline' data: https://cdnjs.cloudflare.com https://www.google-analytics.com; style-src 'self' https://cdnjs.cloudflare.com;", + "Content-Security-Policy": "default-src 'self'; connect-src 'self' https://www.google-analytics.com; font-src 'self' data: https://cdnjs.cloudflare.com; img-src 'self' data: https://*.technologytoolbox.com; script-src 'self' 'unsafe-inline' data: https://cdnjs.cloudflare.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com;", "X-Frame-Options": "DENY" } }