Widget: Don't set CSP header on non-HTML resources

2026-05-05 15:14:04 +00:00 · 2023-02-09 12:11:39 +01:00
parent ba0edd6261
commit 2893f72d5b
1 changed files with 3 additions and 0 deletions
--- a/src/pretix/presale/views/widget.py
+++ b/src/pretix/presale/views/widget.py
@@ -105,6 +105,7 @@ def widget_css(request, **kwargs):
    et = html.fromstring(tpl.render({})).xpath('/html/head/link')[0].attrib['href'].replace(settings.STATIC_URL, '')
    f = finders.find(et)
    resp = FileResponse(open(f, 'rb'), content_type='text/css')
+    resp._csp_ignore = True
    return resp


@@ -196,6 +197,7 @@ def widget_js(request, lang, **kwargs):
            gs.settings.set('widget_checksum_{}'.format(lang), checksum)
            cache.set('widget_js_data_{}'.format(lang), data, 3600 * 4)
        resp = HttpResponse(data, content_type='text/javascript')
+    resp._csp_ignore = True
    return resp


@@ -323,6 +325,7 @@ class WidgetAPIProductList(EventListMixin, View):
        self.post_process(data)
        resp = JsonResponse(data)
        resp['Access-Control-Allow-Origin'] = '*'
+        resp._csp_ignore = True
        return resp

    def get(self, request, *args, **kwargs):