danbia
commented
5 years ago Hi, we've added the 'unsafe-inline' to the script-src directive in order to prevent this warning on some browsers.
Closed vloup closed 5 years ago
danbia
commented
5 years ago Hi, we've added the 'unsafe-inline' to the script-src directive in order to prevent this warning on some browsers.
Hello,
When using your app, it looks like my browser is throwing me CSP errors in my console due to a lack of 'unsafe-inline' value missing in the script-src rule. You can add this in
internal/api.go.It does not seem to affect global usage much, but both of your templates are having some inline javascript.
And while you're there, it's likely you may want to add others such as Strict-Transport-Security, Feature-Policy, Referrer-Policy, X-Content-Type-Options, X-Frame-Options, X-Permitted-Cross-Domain-Policies, X-Robots-Tag, X-XSS-Protection, X-Download-Options, etc. Those are just the one I usually add when I setup a web server.
Thanks for the awesome app!