Add script-src 'unsafe-inline'

gratipay · Dec 22, 2016 · 821eae2 · 821eae2
1 parent 961ce59
commit 821eae2
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/gratipay/security/__init__.py b/gratipay/security/__init__.py
@@ -51,6 +51,7 @@ def add_headers_to_response(response):
                                                        'style-src assets.gratipay.com cloud.typography.com;'
                                                        'img-src *;'
                                                        'font-src assets.gratipay.com cloud.typography.com;'
+                                                       "script-src 'unsafe-inline'"
                                                        'upgrade-insecure-requests;'
                                                        'block-all-mixed-content;'
                                                        'reflected-xss block;')
diff --git a/tests/py/test_security.py b/tests/py/test_security.py
@@ -60,6 +60,7 @@ def test_ahtr_sets_content_security_policy(self):
                   'style-src assets.gratipay.com cloud.typography.com;'
                   'img-src *;'
                   'font-src assets.gratipay.com cloud.typography.com;'
+                  "script-src 'unsafe-inline'"
                   'upgrade-insecure-requests;'
                   'block-all-mixed-content;'
                   'reflected-xss block;')