slav0nic
commented
4 years ago i think CSP functionality should be improved, for example, locally for sharing via static_view i did some tricks like (that looks not user-friendly):
def add_cors_headers_response_callback(event):
def cors_headers(request, response):
if request.path.startswith("/v1/media/"):
settings = request.registry.settings
host = settings.get("http_host", "*")
origins = settings.get("cors_origins", "*")
response.headers.update({
'Access-Control-Allow-Origin': f'{origins}',
'Content-Security-Policy': f"object-src {host}"
})
event.request.add_response_callback(cors_headers)
...
def includeme(config):
...
config.add_static_view(name='media', path='project.main:media')
config.add_subscriber(add_cors_headers_response_callback, NewRequest)or at least some solutions should be documented
Content Security Policy: The page’s settings blocked the loading of a resource at https://firefox-settings-attachments-cdn.stage.mozaws.net/ma…e/product-integrity/1be52f5f-ce54-4471-85b4-44a7800fdfcd.png (“img-src”).