diff --git a/gratipay/security/__init__.py b/gratipay/security/__init__.py index 71c351e7d4..99957486c5 100644 --- a/gratipay/security/__init__.py +++ b/gratipay/security/__init__.py @@ -47,10 +47,10 @@ def add_headers_to_response(response): # Allow fonts from cloud.typography.com. if 'content-security-policy' not in response.headers: response.headers['content-security-policy'] = ("default-src 'self';" - 'script-src assets.gratipay.com;' - 'style-src assets.gratipay.com;' + "script-src assets.gratipay.com 'unsafe-inline';" + 'style-src assets.gratipay.com cloud.typography.com;' 'img-src *;' - 'font-src cloud.typography.com;' + 'font-src assets.gratipay.com cloud.typography.com;' 'upgrade-insecure-requests;' 'block-all-mixed-content;' 'reflected-xss block;') diff --git a/tests/py/test_security.py b/tests/py/test_security.py index dd682adccb..c355250f39 100644 --- a/tests/py/test_security.py +++ b/tests/py/test_security.py @@ -55,11 +55,11 @@ def test_ahtr_sets_x_xss_protection(self): def test_ahtr_sets_content_security_policy(self): headers = self.client.GET('/about/').headers - policy = ('default-src \'self\';' - 'script-src assets.gratipay.com;' - 'style-src assets.gratipay.com;' + policy = ("default-src 'self';" + "script-src assets.gratipay.com 'unsafe-inline';" + 'style-src assets.gratipay.com cloud.typography.com;' 'img-src *;' - 'font-src cloud.typography.com;' + 'font-src assets.gratipay.com cloud.typography.com;' 'upgrade-insecure-requests;' 'block-all-mixed-content;' 'reflected-xss block;')