diff --git a/gratipay/security/__init__.py b/gratipay/security/__init__.py index 077d58fb24..99957486c5 100644 --- a/gratipay/security/__init__.py +++ b/gratipay/security/__init__.py @@ -47,11 +47,10 @@ def add_headers_to_response(response): # Allow fonts from cloud.typography.com. if 'content-security-policy' not in response.headers: response.headers['content-security-policy'] = ("default-src 'self';" - "script-src assets.gratipay.com;" + "script-src assets.gratipay.com 'unsafe-inline';" 'style-src assets.gratipay.com cloud.typography.com;' 'img-src *;' 'font-src assets.gratipay.com cloud.typography.com;' - "script-src 'unsafe-inline'" 'upgrade-insecure-requests;' 'block-all-mixed-content;' 'reflected-xss block;') diff --git a/tests/py/test_security.py b/tests/py/test_security.py index 46b72534c0..c355250f39 100644 --- a/tests/py/test_security.py +++ b/tests/py/test_security.py @@ -56,11 +56,10 @@ def test_ahtr_sets_x_xss_protection(self): def test_ahtr_sets_content_security_policy(self): headers = self.client.GET('/about/').headers policy = ("default-src 'self';" - 'script-src assets.gratipay.com;' + "script-src assets.gratipay.com 'unsafe-inline';" 'style-src assets.gratipay.com cloud.typography.com;' 'img-src *;' 'font-src assets.gratipay.com cloud.typography.com;' - "script-src 'unsafe-inline'" 'upgrade-insecure-requests;' 'block-all-mixed-content;' 'reflected-xss block;')