PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 19:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: admin CSP allow inline scripts

Browse Source 
script-src 'self' 'unsafe-inline' added to admin Content-Security-Policy.
default-src 'self' was blocking OverType editor init block and
the dev live-reload poller. Admin section is auth-gated so
unsafe-inline is acceptable.
This commit is contained in:
Pontoporeia
2026-04-06 16:49:14 +02:00
parent e6960f0c9c
commit b45e6c50cc
4 changed files with 21 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
nginx/posterg.conf
View File

@@ -123,8 +123,10 @@ server {
# Rate limiting for admin
limit_req zone=admin burst=20 nodelay;
# Content-Security-Policy - Tighter policy for admin
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
# Content-Security-Policy - Admin policy
# script-src needs 'unsafe-inline' for the OverType editor init block
# and the live-reload poller (dev only). Admin is already auth-gated.
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
# Disable directory listing
autoindex off;