Csp: Include `script-src 'self';

fixes #5180
Icinga · Feb 2, 2024 · 0258676 · 0258676
1 parent cd2daeb
commit 0258676
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/library/Icinga/Util/Csp.php b/library/Icinga/Util/Csp.php
@@ -51,7 +51,11 @@ public static function addHeader(Response $response): void
             throw new RuntimeException('No nonce set for CSS');
         }
 
-        $response->setHeader('Content-Security-Policy', "style-src 'self' 'nonce-$csp->styleNonce';", true);
+        $response->setHeader(
+            'Content-Security-Policy',
+            "script-src 'self'; style-src 'self' 'nonce-$csp->styleNonce';",
+            true
+        );
     }
 
     /**