File tree 1 file changed +6
-1
lines changed
src/main/java/ru/mystamps/web/support/spring/security
1 file changed +6
-1
lines changed Original file line number Diff line number Diff line change @@ -122,7 +122,10 @@ protected void configure(HttpSecurity http) throws Exception {
122122 "default-src 'none'; "
123123 // 'self' is required for: our own CSS files
124124 // 'https://cdn.rawgit.com' is required for: languages.min.css (TODO: GH #246)
125- + "style-src 'self' https://cdn.rawgit.com; "
125+ // 'sha256-Dpm...' is required for: 'box-shadow: none; border: 0px;' inline CSS
126+ // that are using on /series/add and /series/{id} pages.
127+ + "style-src 'self' https://cdn.rawgit.com "
128+ + "'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU='; "
126129 // 'self' is required for: our own JS files
127130 // 'unsafe-inline' is required for: jquery.min.js (that is using code inside of
128131 // event handlers. We can't use hashing algorithms because they aren't supported
@@ -131,6 +134,8 @@ protected void configure(HttpSecurity http) throws Exception {
131134 // https://github.com/jquery/jquery/blob/d71f6a53927ad02d/jquery.js#L1441-L1447
132135 // and https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage)
133136 + "script-src 'self' 'unsafe-inline'; "
137+ // 'self' is required for: AJAX requests from our scripts (country suggestions)
138+ + "connect-src 'self'; "
134139 // 'self' is required for: uploaded images and its previews
135140 // 'https://cdn.rawgit.com' is required for: languages.png (TODO: GH #246)
136141 // 'https://raw.githubusercontent.com' is required for: languages.png
You can’t perform that action at this time.
0 commit comments