From 2ddbaa21502721d8c94ac274dcd846e1d528f7c1 Mon Sep 17 00:00:00 2001 From: Julien Voisin Date: Thu, 22 Dec 2022 12:47:37 +0100 Subject: [PATCH] Add object-src to the CSP policy --- cps/web.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cps/web.py b/cps/web.py index e1b69ce9..98489b04 100755 --- a/cps/web.py +++ b/cps/web.py @@ -85,7 +85,8 @@ def add_security_headers(resp): csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' " if request.path.startswith("/author/") and config.config_use_goodreads: csp += "images.gr-assets.com i.gr-assets.com s.gr-assets.com" - csp += " data:" + csp += " data:;" + csp += " object-src: 'none';" resp.headers['Content-Security-Policy'] = csp if request.endpoint == "edit-book.show_edit_book" or config.config_use_google_drive: resp.headers['Content-Security-Policy'] += " *"