gratipay · EdOverflow · Dec 22, 2016 · Dec 22, 2016 · Dec 22, 2016 · Dec 22, 2016
diff --git a/gratipay/security/__init__.py b/gratipay/security/__init__.py
@@ -47,10 +47,10 @@ def add_headers_to_response(response):
     # Allow fonts from cloud.typography.com.
     if 'content-security-policy' not in response.headers:
         response.headers['content-security-policy'] = ("default-src 'self';"
-                                                       'script-src assets.gratipay.com;'
-                                                       'style-src assets.gratipay.com;'
+                                                       "script-src assets.gratipay.com 'unsafe-inline';"
+                                                       'style-src assets.gratipay.com cloud.typography.com;'
                                                        'img-src *;'
-                                                       'font-src cloud.typography.com;'
+                                                       'font-src assets.gratipay.com cloud.typography.com;'
                                                        'upgrade-insecure-requests;'
                                                        'block-all-mixed-content;'
                                                        'reflected-xss block;')
diff --git a/tests/py/test_security.py b/tests/py/test_security.py
@@ -55,11 +55,11 @@ def test_ahtr_sets_x_xss_protection(self):
 
     def test_ahtr_sets_content_security_policy(self):
         headers = self.client.GET('/about/').headers
-        policy = ('default-src \'self\';'
-                  'script-src assets.gratipay.com;'
-                  'style-src assets.gratipay.com;'
+        policy = ("default-src 'self';"
+                  "script-src assets.gratipay.com 'unsafe-inline';"
+                  'style-src assets.gratipay.com cloud.typography.com;'
                   'img-src *;'
-                  'font-src cloud.typography.com;'
+                  'font-src assets.gratipay.com cloud.typography.com;'
                   'upgrade-insecure-requests;'
                   'block-all-mixed-content;'
                   'reflected-xss block;')