mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-25 11:16:31 -05:00
Remove unsafe-eval from default CSP
As script-loader was removed in the previous commits, we can finally tighten up security. Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
parent
2cecb9184b
commit
3cd169a650
1 changed files with 1 additions and 2 deletions
|
@ -5,8 +5,7 @@ const CspStrategy = {}
|
|||
|
||||
const defaultDirectives = {
|
||||
defaultSrc: ['\'self\''],
|
||||
scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', '\'unsafe-eval\''],
|
||||
// ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/codimd/issues/594
|
||||
scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net'],
|
||||
imgSrc: ['*'],
|
||||
styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
|
||||
fontSrc: ['\'self\'', 'data:', 'https://public.slidesharecdn.com'],
|
||||
|
|
Loading…
Reference in a new issue