mirror of
https://github.com/gravitational/teleport
synced 2024-10-21 17:53:28 +00:00
Make CSP more strict (#7390)
closes https://gravitational.zendesk.com/agent/tickets/3062
This commit is contained in:
parent
6c34385e35
commit
79f7d4b1e7
|
@ -63,13 +63,18 @@ func SetIndexHTMLHeaders(h http.Header) {
|
|||
|
||||
// Set content policy flags
|
||||
var cspValue = strings.Join([]string{
|
||||
// enterprise version uses stripe.com to update billing information
|
||||
"default-src 'self'",
|
||||
// cloud version uses stripe.com to update billing information
|
||||
"script-src 'self' https://js.stripe.com",
|
||||
// 'unsafe-inline' needed for reactjs inline styles
|
||||
"frame-src https://js.stripe.com",
|
||||
"frame-ancestors 'none'",
|
||||
// 'unsafe-inline' is required by CSS-in-JS to work
|
||||
"style-src 'self' 'unsafe-inline'",
|
||||
"object-src 'none'",
|
||||
"img-src 'self' data: blob:",
|
||||
"font-src 'self' data:",
|
||||
"base-uri 'self'",
|
||||
"form-action 'self'",
|
||||
}, ";")
|
||||
|
||||
h.Set("Content-Security-Policy", cspValue)
|
||||
|
|
Loading…
Reference in a new issue