tommy/mobilizon
1
0
Fork 0
forked from potsda.mn/mobilizon
Code Pull requests Activity

Fix fullcalendar CSP errors

Browse source 
- whitelist the 'data:' protocol for fonts
- Add CSP hash directive to allow fullcalendar inline style
This commit is contained in:
summersamara 2023-12-16 00:11:11 +01:00
parent 81948b45ca
commit 9c0c5b6e83
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/web/plugs/http_security_plug.ex
View file

@ -77,7 +77,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
# unsafe-eval is because of JS issues with regenerator-runtime # unsafe-eval is because of JS issues with regenerator-runtime
@script_src "script-src 'self' 'unsafe-eval' " @script_src "script-src 'self' 'unsafe-eval' "
@style_src "style-src 'self' " @style_src "style-src 'self' "
@font_src "font-src 'self' " @font_src "font-src 'self' data: "
@spec csp_string(Keyword.t()) :: String.t() @spec csp_string(Keyword.t()) :: String.t()
defp csp_string(options) do defp csp_string(options) do
@ -117,6 +117,8 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
style_src = [style_src] ++ [get_csp_config(:style_src, options)] style_src = [style_src] ++ [get_csp_config(:style_src, options)]
style_src = [style_src] ++ ["'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='"]
font_src = [@font_src] ++ [get_csp_config(:font_src, options)] font_src = [@font_src] ++ [get_csp_config(:font_src, options)]
frame_src = build_csp_field(:frame_src, options) frame_src = build_csp_field(:frame_src, options)