From eb82ff4ca5e153a104ebd24ced6746442972f9c5 Mon Sep 17 00:00:00 2001 From: Jonny Barnes Date: Sat, 27 May 2023 18:19:42 +0100 Subject: [PATCH] fix: Add unsafe-inline to style-src CSP header - Improve content-security policy for better website security - Add `'unsafe-inline'` to the `style-src` header in `CSPHeader.php` --- app/Http/Middleware/CSPHeader.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Http/Middleware/CSPHeader.php b/app/Http/Middleware/CSPHeader.php index 07e77e3a..d5cd4c53 100644 --- a/app/Http/Middleware/CSPHeader.php +++ b/app/Http/Middleware/CSPHeader.php @@ -25,7 +25,7 @@ class CSPHeader ->header( 'Content-Security-Policy', "default-src 'self'; " . - "style-src 'self' cloud.typography.com jonnybarnes.uk; " . + "style-src 'self' 'unsafe-inline' cloud.typography.com jonnybarnes.uk; " . "img-src 'self' data: blob: https://pbs.twimg.com https://jbuk-media.s3-eu-west-1.amazonaws.com https://jbuk-media-dev.s3-eu-west-1.amazonaws.com https://secure.gravatar.com https://graph.facebook.com *.fbcdn.net https://*.cdninstagram.com https://*.4sqi.net https://upload.wikimedia.org; " . "font-src 'self' data:; " . "frame-src 'self' https://www.youtube.com blob:; " .