Browse Source

fix: Relax default CSP to allow iconify to work

jamesread 3 months ago
parent
commit
3f46007281
2 changed files with 2 additions and 2 deletions
  1. 1 1
      service/internal/config/config.go
  2. 1 1
      service/internal/config/sanitize.go

+ 1 - 1
service/internal/config/config.go

@@ -281,7 +281,7 @@ func DefaultConfigWithBasePort(basePort int) *Config {
 	config.Prometheus.Enabled = false
 	config.Prometheus.DefaultGoMetrics = false
 	config.Security.HeaderContentSecurityPolicy = true
-	config.Security.ContentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none'; base-uri 'self'"
+	config.Security.ContentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'"
 	config.Security.HeaderXContentTypeOptions = true
 	config.Security.HeaderXFrameOptions = true
 	config.Security.XFrameOptions = "DENY"

+ 1 - 1
service/internal/config/sanitize.go

@@ -194,7 +194,7 @@ func (cfg *Config) sanitizeSecurityHeadersCSP() {
 	if !cfg.Security.HeaderContentSecurityPolicy || cfg.Security.ContentSecurityPolicy != "" {
 		return
 	}
-	cfg.Security.ContentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none'; base-uri 'self'"
+	cfg.Security.ContentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'"
 }
 
 func (cfg *Config) sanitizeSecurityHeadersXFrameOptions() {