diff options
author | Steffen Busch <[email protected]> | 2024-07-07 14:56:47 +0200 |
---|---|---|
committer | GitHub <[email protected]> | 2024-07-07 06:56:47 -0600 |
commit | 88c7e53da55e23c113d4d1f2b67ddf8b978e8a45 (patch) | |
tree | 20b589233d7c79db828dbdd00ba71ea077887b50 | |
parent | 4ef360745dab1023a7d4c04aebca3d05499dd5e1 (diff) | |
download | caddy-88c7e53da55e23c113d4d1f2b67ddf8b978e8a45.tar.gz caddy-88c7e53da55e23c113d4d1f2b67ddf8b978e8a45.zip |
browse: fix Content-Security-Policy warnings in Firefox (#6443)
* Remove 'strict-dynamic' + block-all-mixed-content
* CSP: remove 'unsafe-inline' from script-src
-rw-r--r-- | modules/caddyhttp/fileserver/browse.html | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/caddyhttp/fileserver/browse.html b/modules/caddyhttp/fileserver/browse.html index 43d5f4514..1e21a9d11 100644 --- a/modules/caddyhttp/fileserver/browse.html +++ b/modules/caddyhttp/fileserver/browse.html @@ -1,6 +1,6 @@ {{ $nonce := uuidv4 -}} {{ $nonceAttribute := print "nonce=" (quote $nonce) -}} -{{ $csp := printf "default-src 'none'; img-src 'self'; object-src 'none'; base-uri 'none'; script-src 'strict-dynamic' 'nonce-%s' 'unsafe-inline' https: http:; style-src 'strict-dynamic' 'nonce-%s'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content;" $nonce $nonce -}} +{{ $csp := printf "default-src 'none'; img-src 'self'; object-src 'none'; base-uri 'none'; script-src 'nonce-%s'; style-src 'nonce-%s'; frame-ancestors 'self'; form-action 'self';" $nonce $nonce -}} {{/* To disable the Content-Security-Policy, set this to false */}}{{ $enableCsp := true -}} {{ if $enableCsp -}} {{- .RespHeader.Set "Content-Security-Policy" $csp -}} |