From 7488206195681fdc830dea5dbd85e569fff34af6 Mon Sep 17 00:00:00 2001 From: Amir Zarrinkafsh Date: Thu, 21 May 2020 13:16:37 +1000 Subject: [PATCH] [BUGFIX] Relax CSP for trusted-types (#1036) This will need to be revisited to re-introduce trusted-types when we have a clear handle on all the libraries and their implementation to support this. --- internal/server/index.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/server/index.go b/internal/server/index.go index 39a8875d1..9c5544f10 100644 --- a/internal/server/index.go +++ b/internal/server/index.go @@ -36,7 +36,7 @@ func ServeIndex(publicDir, base string) fasthttp.RequestHandler { nonce := utils.RandomString(32, alphaNumericRunes) ctx.SetContentType("text/html; charset=utf-8") - ctx.Response.Header.Add("Content-Security-Policy", fmt.Sprintf("default-src 'self'; object-src 'none'; require-trusted-types-for 'script'; style-src 'self' 'nonce-%s'", nonce)) + ctx.Response.Header.Add("Content-Security-Policy", fmt.Sprintf("default-src 'self'; object-src 'none'; style-src 'self' 'nonce-%s'", nonce)) err := tmpl.Execute(ctx.Response.BodyWriter(), struct{ CSPNonce, Base string }{CSPNonce: nonce, Base: base}) if err != nil {