mirror/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-06-19 07:36:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: csp (#38162)

Browse Source 
ref:
https://github.com/go-gitea/gitea/issues/8707#issuecomment-4741577316
This commit is contained in:
wxiaoguang
2026-06-19 02:21:41 +08:00
committed by GitHub
parent 9c82394315
commit 21bcca798b
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
services/context/context_template.go
+3 -2
View File
@@ -132,8 +132,9 @@ func (c TemplateContext) HeadMetaContentSecurityPolicy() template.HTML {
// * Maybe this approach should be avoided, don't make the config system too complex, just let users use A
return template.HTML(`<meta http-equiv="Content-Security-Policy" content="` +
// allow all by default (the same as old releases with no CSP)
// maybe some images or markup (external) renders need "data:", need to investigate
`default-src * data:;` +
// * maybe some images or markup (external) renders need "data:", need to investigate
// * avatar upload editor needs "blob:", at least "img-src" and "content-src"
`default-src * data: blob:;` +
// enforce nonce for all scripts, disallow inline scripts
`script-src * 'nonce-` + c.CspScriptNonce() + `';` +