CSP: Exclude PDF editor (just doesn't work in FF)

2026-05-04 15:04:03 +00:00 · 2017-09-28 18:44:12 +02:00
parent 29b157f287
commit 784f6e703c
4 changed files with 11 additions and 5 deletions
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -220,7 +220,14 @@ class SecurityMiddleware(MiddlewareMixin):
                    domain = '%s:%d' % (domain, siteurlsplit.port)
                dynamicdomain += " " + domain

-        if request.path not in self.CSP_EXEMPT:
+        if request.path not in self.CSP_EXEMPT and not getattr(resp, '_csp_ignore', False):
            resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain,
                                                                    media=mediadomain, nonce=request.csp_nonce)
+            for k, v in h.items():
+                h[k] = ' '.join(v).format(static=staticdomain, dynamic=dynamicdomain, media=mediadomain,
+                                          nonce=request.csp_nonce).split(' ')
+            resp['Content-Security-Policy'] = _render_csp(h)
+        elif 'Content-Security-Policy' in resp:
+            del resp['Content-Security-Policy']
+
        return resp