diff --git a/src/pretix/control/views/mail.py b/src/pretix/control/views/mail.py index 6b775961ea..de25215d34 100644 --- a/src/pretix/control/views/mail.py +++ b/src/pretix/control/views/mail.py @@ -112,6 +112,9 @@ class OutgoingMailDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequir h = {} csps = { 'frame-src': ['data:'], + # Unfortuantely, we can't avoid unsafe-inline for style here. + # See outgoingmail.js for the protection measures we take. + 'style-src': ["'unsafe-inline'"], } _merge_csp(h, csps) response['Content-Security-Policy'] = _render_csp(h) diff --git a/src/pretix/static/pretixcontrol/js/ui/outgoingmail.js b/src/pretix/static/pretixcontrol/js/ui/outgoingmail.js index f6457440ad..43600d40a8 100644 --- a/src/pretix/static/pretixcontrol/js/ui/outgoingmail.js +++ b/src/pretix/static/pretixcontrol/js/ui/outgoingmail.js @@ -6,7 +6,7 @@ function is_sandbox_supported() { function safe_render(url, parent) { // Estimate the height that prevents the user from having to scroll on two levels to see the full email const height = ( - window.innerHeight - parent.parent().get(0).getBoundingClientRect().top - document.querySelector("footer").getBoundingClientRect().height - 20 + Math.max(400, window.innerHeight - parent.parent().get(0).getBoundingClientRect().top - document.querySelector("footer").getBoundingClientRect().height - 20) ) + "px"; const iframe = ( @@ -22,7 +22,7 @@ function safe_render(url, parent) { .attr("class", "html-email") .attr("src", url) .attr("sandbox", "allow-popups allow-popups-to-escape-sandbox") - .attr("csp", "script-src 'none'; font-src 'none'; connect-src 'none'; form-action 'none'") // respected only by chrome + .attr("csp", "script-src 'none'; font-src 'none'; connect-src 'none'; form-action 'none'; style-src 'unsafe-inline'") // respected only by chrome .prop("credentialless", true) // respected only by chrome );