From 821eae2c816f7bc996414c0b5a13c91ca4eed0e0 Mon Sep 17 00:00:00 2001
From: EdOverflow <diopterasec@gmail.com>
Date: Thu, 22 Dec 2016 17:19:48 +0100
Subject: [PATCH] Add script-src 'unsafe-inline'

---
 gratipay/security/__init__.py | 1 +
 tests/py/test_security.py     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/gratipay/security/__init__.py b/gratipay/security/__init__.py
index 72216224f8..077d58fb24 100644
--- a/gratipay/security/__init__.py
+++ b/gratipay/security/__init__.py
@@ -51,6 +51,7 @@ def add_headers_to_response(response):
                                                        'style-src assets.gratipay.com cloud.typography.com;'
                                                        'img-src *;'
                                                        'font-src assets.gratipay.com cloud.typography.com;'
+                                                       "script-src 'unsafe-inline'"
                                                        'upgrade-insecure-requests;'
                                                        'block-all-mixed-content;'
                                                        'reflected-xss block;')
diff --git a/tests/py/test_security.py b/tests/py/test_security.py
index 26e7cd8642..46b72534c0 100644
--- a/tests/py/test_security.py
+++ b/tests/py/test_security.py
@@ -60,6 +60,7 @@ def test_ahtr_sets_content_security_policy(self):
                   'style-src assets.gratipay.com cloud.typography.com;'
                   'img-src *;'
                   'font-src assets.gratipay.com cloud.typography.com;'
+                  "script-src 'unsafe-inline'"
                   'upgrade-insecure-requests;'
                   'block-all-mixed-content;'
                   'reflected-xss block;')