From 2893f72d5b9bb6d39cd299ca43d4f9be0468d7a2 Mon Sep 17 00:00:00 2001
From: Raphael Michel <michel@rami.io>
Date: Thu, 9 Feb 2023 12:11:39 +0100
Subject: [PATCH] Widget: Don't set CSP header on non-HTML resources

---
 src/pretix/presale/views/widget.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/pretix/presale/views/widget.py b/src/pretix/presale/views/widget.py
index 13ddb48ebc..5ad3d56cea 100644
--- a/src/pretix/presale/views/widget.py
+++ b/src/pretix/presale/views/widget.py
@@ -105,6 +105,7 @@ def widget_css(request, **kwargs):
     et = html.fromstring(tpl.render({})).xpath('/html/head/link')[0].attrib['href'].replace(settings.STATIC_URL, '')
     f = finders.find(et)
     resp = FileResponse(open(f, 'rb'), content_type='text/css')
+    resp._csp_ignore = True
     return resp
 
 
@@ -196,6 +197,7 @@ def widget_js(request, lang, **kwargs):
             gs.settings.set('widget_checksum_{}'.format(lang), checksum)
             cache.set('widget_js_data_{}'.format(lang), data, 3600 * 4)
         resp = HttpResponse(data, content_type='text/javascript')
+    resp._csp_ignore = True
     return resp
 
 
@@ -323,6 +325,7 @@ class WidgetAPIProductList(EventListMixin, View):
         self.post_process(data)
         resp = JsonResponse(data)
         resp['Access-Control-Allow-Origin'] = '*'
+        resp._csp_ignore = True
         return resp
 
     def get(self, request, *args, **kwargs):