CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

Add font-src to default CSP header

Browse Source
This commit is contained in:
Raphael Michel
2017-09-25 10:19:36 +02:00
parent 43fc498297
commit ab9dd32902
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/pretix/base/middleware.py
View File

@@ -186,6 +186,7 @@ class SecurityMiddleware(MiddlewareMixin):
'style-src': ["{static}", "{media}", "'nonce-{nonce}'"], 'style-src': ["{static}", "{media}", "'nonce-{nonce}'"],
'connect-src': ["{dynamic}", "{media}", "https://checkout.stripe.com"], 'connect-src': ["{dynamic}", "{media}", "https://checkout.stripe.com"],
'img-src': ["{static}", "{media}", "data:", "https://*.stripe.com"], 'img-src': ["{static}", "{media}", "data:", "https://*.stripe.com"],
'font-src': ["{static}"],
# form-action is not only used to match on form actions, but also on URLs # form-action is not only used to match on form actions, but also on URLs
# form-actions redirect to. In the context of e.g. payment providers or # form-actions redirect to. In the context of e.g. payment providers or
# single-sign-on this can be nearly anything so we cannot really restrict # single-sign-on this can be nearly anything so we cannot really restrict