Outgoing mails: Fix cross-browser support

2026-05-04 15:04:03 +00:00 · 2026-01-30 11:37:10 +01:00
parent c40e34af57
commit 8c4e0bdb82
2 changed files with 5 additions and 2 deletions
--- a/src/pretix/control/views/mail.py
+++ b/src/pretix/control/views/mail.py
@@ -112,6 +112,9 @@ class OutgoingMailDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequir
            h = {}
        csps = {
            'frame-src': ['data:'],
+            # Unfortuantely, we can't avoid unsafe-inline for style here.
+            # See outgoingmail.js for the protection measures we take.
+            'style-src': ["'unsafe-inline'"],
        }
        _merge_csp(h, csps)
        response['Content-Security-Policy'] = _render_csp(h)
--- a/src/pretix/static/pretixcontrol/js/ui/outgoingmail.js
+++ b/src/pretix/static/pretixcontrol/js/ui/outgoingmail.js
@@ -6,7 +6,7 @@ function is_sandbox_supported() {
 function safe_render(url, parent) {
    // Estimate the height that prevents the user from having to scroll on two levels to see the full email
    const height = (
-        window.innerHeight - parent.parent().get(0).getBoundingClientRect().top - document.querySelector("footer").getBoundingClientRect().height - 20
+        Math.max(400, window.innerHeight - parent.parent().get(0).getBoundingClientRect().top - document.querySelector("footer").getBoundingClientRect().height - 20)
    ) + "px";

    const iframe = (
@@ -22,7 +22,7 @@ function safe_render(url, parent) {
            .attr("class", "html-email")
            .attr("src", url)
            .attr("sandbox", "allow-popups allow-popups-to-escape-sandbox")
-            .attr("csp", "script-src 'none'; font-src 'none'; connect-src 'none'; form-action 'none'")  // respected only by chrome
+            .attr("csp", "script-src 'none'; font-src 'none'; connect-src 'none'; form-action 'none'; style-src 'unsafe-inline'")  // respected only by chrome
            .prop("credentialless", true)  // respected only by chrome
    );