From ba6f188b200276e731294b2a0e33a6fa6cf662de Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 5 Jan 2017 13:05:54 +0100
Subject: [PATCH] tweak CSP and make it enforceable

---
 liberapay/security/__init__.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/liberapay/security/__init__.py b/liberapay/security/__init__.py
index af56e56685..8c7a11193e 100644
--- a/liberapay/security/__init__.py
+++ b/liberapay/security/__init__.py
@@ -30,17 +30,17 @@ def set_default_security_headers(website, response, request=None):
     # https://scotthelme.co.uk/content-security-policy-an-introduction/
     if b'content-security-policy' not in response.headers:
         csp = (
-            b"default-src %(main_domain)s;"
-            b"script-src %(main_domain)s 'unsafe-inline';"
-            b"style-src %(main_domain)s 'unsafe-inline';"
+            b"default-src 'self' %(main_domain)s;"
+            b"script-src 'self' %(main_domain)s 'unsafe-inline';"
+            b"style-src 'self' %(main_domain)s 'unsafe-inline';"
             b"connect-src *;"  # for credit card data
             b"img-src *;"
             b"reflected-xss block;"
         ) % {b'main_domain': website.canonical_host.encode('ascii')}
         csp += website.env.csp_extra.encode()
         if website.canonical_scheme == 'https':
-            csp += b"upgrade-insecure-requests;block-all-mixed-content;"
-        response.headers[b'content-security-policy-report-only'] = csp
+            csp += b"upgrade-insecure-requests;"
+        response.headers[b'content-security-policy'] = csp
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
     if b'X-XSS-Protection' not in response.headers: