Skip to content

Commit

Permalink
Merge pull request #41 from cmason3/dev
Browse files Browse the repository at this point in the history 
fix CSP with data: URLs
  • Loading branch information
@cmason3
cmason3 authored Jun 19, 2024
2 parents 5f8f546 + 88c27ea commit bd46f1a
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 3 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
## CHANGELOG

### [24.6.1] - Jun 20, 2024
- Updated `Content-Security-Policy` to explicitly allow `data:` scheme for `img-src` as `*` doesn't permit it

### [24.6.0] - Jun 20, 2024
- Added an actual CHANGELOG.md instead of relying on GitHub Release history
- The `Content-Security-Policy` header is now set as a HTTP response header and uses a standard value for all pages
Expand Down Expand Up @@ -309,6 +312,7 @@
### 21.11.0 - Nov 29, 2021
- Initial release

[24.6.1]: https://github.com/cmason3/jinjafx_server/compare/24.6.0...24.6.1
[24.6.0]: https://github.com/cmason3/jinjafx_server/compare/24.5.0...24.6.0
[24.5.0]: https://github.com/cmason3/jinjafx_server/compare/24.3.0...24.5.0
[24.3.0]: https://github.com/cmason3/jinjafx_server/compare/24.1.1...24.3.0
Expand Down
5 changes: 2 additions & 3 deletions jinjafx_server.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
import re, argparse, hashlib, traceback, glob, hmac, uuid, struct, binascii, gzip, requests, ctypes, subprocess
import cmarkgfm, emoji

__version__ = '24.6.0'
__version__ = '24.6.1'

llock = threading.RLock()
rlock = threading.RLock()
Expand Down Expand Up @@ -415,9 +415,8 @@ def do_GET(self, head=False, cache=True, versioned=False):

elif r[1] == 200 or r[1] == 304:
if r[1] == 200:
# self.send_header('Content-Security-Policy', "frame-ancestors 'none'")
self.send_header('X-Content-Type-Options', 'nosniff')
self.send_header('Content-Security-Policy', "default-src 'self'; style-src 'self' https://cdnjs.cloudflare.com 'unsafe-inline'; script-src 'self' https://cdnjs.cloudflare.com; img-src *; frame-ancestors 'none'")
self.send_header('Content-Security-Policy', "default-src 'self'; style-src 'self' https://cdnjs.cloudflare.com 'unsafe-inline'; script-src 'self' https://cdnjs.cloudflare.com; img-src data: *; frame-ancestors 'none'")
self.send_header('Referrer-Policy', 'strict-origin-when-cross-origin')

self.send_header('Cache-Control', 'max-age=0, must-revalidate')
Expand Down

0 comments on commit bd46f1a

Please sign in to comment.