Fix fullcalendar CSP errors
- whitelist the 'data:' protocol for fonts - Add CSP hash directive to allow fullcalendar inline style
This commit is contained in:
parent
81948b45ca
commit
9c0c5b6e83
|
@ -77,7 +77,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
|
||||||
# unsafe-eval is because of JS issues with regenerator-runtime
|
# unsafe-eval is because of JS issues with regenerator-runtime
|
||||||
@script_src "script-src 'self' 'unsafe-eval' "
|
@script_src "script-src 'self' 'unsafe-eval' "
|
||||||
@style_src "style-src 'self' "
|
@style_src "style-src 'self' "
|
||||||
@font_src "font-src 'self' "
|
@font_src "font-src 'self' data: "
|
||||||
|
|
||||||
@spec csp_string(Keyword.t()) :: String.t()
|
@spec csp_string(Keyword.t()) :: String.t()
|
||||||
defp csp_string(options) do
|
defp csp_string(options) do
|
||||||
|
@ -117,6 +117,8 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
|
||||||
|
|
||||||
style_src = [style_src] ++ [get_csp_config(:style_src, options)]
|
style_src = [style_src] ++ [get_csp_config(:style_src, options)]
|
||||||
|
|
||||||
|
style_src = [style_src] ++ ["'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='"]
|
||||||
|
|
||||||
font_src = [@font_src] ++ [get_csp_config(:font_src, options)]
|
font_src = [@font_src] ++ [get_csp_config(:font_src, options)]
|
||||||
|
|
||||||
frame_src = build_csp_field(:frame_src, options)
|
frame_src = build_csp_field(:frame_src, options)
|
||||||
|
|
Loading…
Reference in a new issue