Commit 828a1d4a authored by Michal Horejsek's avatar Michal Horejsek

Comment about usage of unsafe CSP directives

parent 60f96a79
Pipeline #41218 passed with stages
in 1 minute and 53 seconds
......@@ -63,6 +63,8 @@ SECURE_HSTS_INCLUDE_SUBDOMAINS = True
# googleapis and gstatic is because of fonts and other libraries (js, maps) hosted at Google's CDN.
# githubusercontent.com/divio is because of Django CMS which checks in admin if there is some update.
# unsafe-inline is needed by Django CMS
# unsafe-eval is needed by CKEditor
CSP_DEFAULT_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'", "'unsafe-eval'", '*.googleapis.com', '*.gstatic.com')
CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", '*.googleapis.com')
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment