mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-22 17:56:30 -05:00
Don't add nonce to CSP if unsafe-inline is on
Browsers ignore unsafe-inline if a nonce is sent
This commit is contained in:
parent
91101c856c
commit
d51da8c12c
1 changed files with 3 additions and 1 deletions
4
app.js
4
app.js
|
@ -171,7 +171,9 @@ if (config.csp.enable) {
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
directives.scriptSrc.push(getCspNonce)
|
if (directives.scriptSrc.indexOf('\'unsafe-inline\'') === -1) {
|
||||||
|
directives.scriptSrc.push(getCspNonce)
|
||||||
|
}
|
||||||
directives.connectSrc.push(getCspWebSocketUrl)
|
directives.connectSrc.push(getCspWebSocketUrl)
|
||||||
if (config.csp.upgradeInsecureRequests === 'auto') {
|
if (config.csp.upgradeInsecureRequests === 'auto') {
|
||||||
directives.upgradeInsecureRequests = config.usessl === 'true'
|
directives.upgradeInsecureRequests = config.usessl === 'true'
|
||||||
|
|
Loading…
Reference in a new issue