Do not rely on CSP nonce support (breaks safari)

2026-05-04 15:04:03 +00:00 · 2017-08-23 13:36:35 +02:00
parent 50ca6ee63d
commit f9fcc16f54
1 changed files with 1 additions and 1 deletions
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -183,7 +183,7 @@ class SecurityMiddleware(MiddlewareMixin):
            # frame-src is deprecated but kept for compatibility with CSP 1.0 browsers, e.g. Safari 9
            'frame-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
            'child-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
-            'style-src': ["{static}", "'nonce-{nonce}'"],
+            'style-src': ["{static}", "{media}", "'nonce-{nonce}'"],
            'connect-src': ["{dynamic}", "https://checkout.stripe.com"],
            'img-src': ["{static}", "{media}", "data:", "https://*.stripe.com"],
            # form-action is not only used to match on form actions, but also on URLs