From b6bc38607224d825890189fc92eaac0bfd4e9b3d Mon Sep 17 00:00:00 2001 From: "Roman Schmerold (BNoiZe)" Date: Thu, 27 Nov 2014 22:04:21 +0100 Subject: [PATCH] Allow inline styles/scripts, otherwise template functions will break Signed-off-by: Roman Schmerold (BNoiZe) --- lib/init.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/init.php b/lib/init.php index bee4fb3a..4ce16229 100644 --- a/lib/init.php +++ b/lib/init.php @@ -29,7 +29,7 @@ header('Expires: ' . gmdate( 'D, d M Y H:i:s \G\M\T', time())); // Inline-JS is no longer allowed and used // See: http://people.mozilla.org/~bsterne/content-security-policy/index.html // New stuff see: https://www.owasp.org/index.php/List_of_useful_HTTP_headers and https://www.owasp.org/index.php/Content_Security_Policy -$csp_content = "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; reflected-xss block;"; +$csp_content = "default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; reflected-xss block;"; header("Content-Security-Policy: ".$csp_content); header("X-Content-Security-Policy: ".$csp_content); header("X-WebKit-CSP: ".$csp_content);